search

loggly / node-loggly-bulk

A client implementation for Loggly in node.js
https://www.loggly.com/docs/node-js-logs/
Other
20 stars 19 forks source link

Dependency vulnerability in stringstream v0.0.5 #38

Closed spencern closed 6 years ago

spencern commented 6 years ago

Issue

Snyk has flagged stringstream v0.0.5 as a security vulnerability.

Affected versions of this package are vulnerable to Uninitialized Memory Exposure. An attacker could extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed to the stream (e.g. from JSON).

https://snyk.io/vuln/npm:stringstream:20180511

Remediation

Upgrade stringstream to version 0.0.6 or higher.

It appears that this vulnerability is pulled in via request v2.83.0. request v2.86.0 and higher do not include this dependency.

Shwetajain148 commented 6 years ago

Hi @spencern, Currently, I'm busy with some ongoing issues but certainly, I'll pick this up once I get some time.

Thanks for reporting.

Shwetajain148 commented 6 years ago

Hi @spencern, So I looked at this issue and could see that the request is already at v2.87.0 which doesn't include the stringstream dependency. Please see the screenshot below-

npm list

From the comment here, I checked on nodejs v4.x(see above screenshot) still there is no stringstream dependency.

To confirm more, I also verified with NSP for any vulnerability but there was not any. See another screenshot below-

nsp

Can you please check once again or share more information so that I can reproduce?

spencern commented 6 years ago

This vulnerability is no longer reported via snyk at this point either. I think we can close. Thank you for checking into it.

Shwetajain148 commented 6 years ago

Great @spencern.