search

kinotto / geonames.js

Nodejs and Browser client for Geonames.org REST API :earth_africa:
http://www.geonames.org/export/client-libraries.html
MIT License
88 stars 17 forks source link

Vulnerability issues #2

Closed pasqLisena closed 6 years ago

pasqLisena commented 6 years ago

Hello, in my project I have some vulnerabilities that depends on your library (see logs below).

They depend on the use of old version of the hawk library imported by request. They already solved the problem because, since version 2.87, request is using a local implementation of hawk.

I see that you recently downgraded request to 2.81. Why this downgrade? Any chances to upgrade to 2.87 and solve the vulnerability issue?

LOGS coming from npm audit

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ geonames.js                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ geonames.js > request > hawk > boom > hoek                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ geonames.js                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ geonames.js > request > hawk > cryptiles > boom > hoek       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ geonames.js                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ geonames.js > request > hawk > hoek                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ geonames.js                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ geonames.js > request > hawk > sntp > hoek                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
kinotto commented 6 years ago

Hi @pasqLisena , thanks for the detailed question, As you pointed out few weeks ago i updated the library because i was having some troubles on the continuos integration on Travis, most likely related to that vulnerability issue on hawk, apparently a quite common problem, that was preventing the build to pass. That's why i locked the library (<2.81) to a version that didn't raise the problem. The last version (2.87) thanks for your suggestion is working fine, no error has been raised from Travis.

I've just made a new release. Thanks :)

pasqLisena commented 6 years ago

Thanks @kinotto , I confirm that all the security problems are now fix 👍

kinotto commented 6 years ago

great @pasqLisena 👍