Dependencies with vulnerabilities

louischatriot / nedb

The JavaScript Database, for Node.js, nw.js, electron and the browser

MIT License

13.49k stars 1.03k forks source link

Dependencies with vulnerabilities #526

Open rahul-desai3 opened 7 years ago

rahul-desai3 commented 7 years ago

I have been testing out my project for security vulnerabilities using the NPM module "retire" (https://www.npmjs.com/package/retire). Below are the 2 security vulnerabilites reported by retire:

node_modules/nedb/browser-version/test/jquery.min.js ↳ jquery 1.11.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ node_modules/nedb/node_modules/localforage/docs/scripts/jquery.min.js ↳ jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

Note: I am using NeDB v1.8.0

JamesMGreene commented 7 years ago

Interesting to see, thanks for sharing!

That said, as far as risk goes, there is zero here from a consumer standpoint since neither of those are included in the NeDB module/library itself. To address them specifically:

The first instance is only used for NeDB internal test pages
- In my fork, NestDB, I already updated this one to use the latest jquery@1.x
The second instance is used for the documentation pages of a 3rd party dependency
- For this one, you could submit an issue to the localforage repo since even the latest version of it (which NeDB is not using but NestDB is :wink:) still uses that old jQuery version in their docs

rahul-desai3 commented 7 years ago

@JamesMGreene Thank you for your response. Looks like nestdb is not in the NPM registry anymore.

This is what I am getting while trying to install:

$ npm install nestdb --save
npm ERR! Darwin 16.7.0
npm ERR! argv "/**/**/.nvm/versions/node/v0.12.7/bin/node" "/**/**/.nvm/versions/node/v0.12.7/bin/npm" "install" "nestdb" "--save"
npm ERR! node v0.12.7
npm ERR! npm  v2.11.3
npm ERR! code E404

npm ERR! 404 Registry returned 404 for GET on https://registry.npmjs.org/nestdb
npm ERR! 404 
npm ERR! 404 'nestdb' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'edm'
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! Please include the following file with any support request:
npm ERR!     /**/**/test/npm-debug.log

JamesMGreene commented 7 years ago

My bad, I haven't published it yet as I'm aiming to address one particular critical issue [inherited from NeDB] before releasing its first version: https://github.com/JamesMGreene/nestdb/issues/6

I was hoping to wrap that up a week ago but got sidelined with other work.

rahul-desai3 commented 6 years ago

@JamesMGreene Can you please upgrade the dependency localforage to higher version? They have fixed the issue that I reported: https://github.com/localForage/localForage/issues/737