linuxwolf
commented
6 years ago - Updates lockbox-datastore to 0.2.1
- Updates node-jose to 0.11.1
- Update redux to 4.0.0
Closed linuxwolf closed 6 years ago
linuxwolf
commented
6 years ago linuxwolf
commented
6 years ago @jimporter locally, I get an nsp check error for lodash@4.11.1 (via redux@3.7.2).
linuxwolf
commented
6 years ago @mozilla-lockbox/desktop-engineering
I thought this had updated lockbox-datastore, but it alas did not.
Updating it is introducing a number of nsp check warnings, but they all look invalid (complaining about old hoek, which is a dev dependency of joi). Since nsp is now in obsolescence, a fix is not forthcoming.
I feel confident in the production dependencies herein, but not sure what the rest of you all would want to do.
linuxwolf
commented
6 years ago more info ...
Running nsp check results in the following:
(+) 2 vulnerabilities found
┌────────────┬────────────────────────────────────────────────────────────────────┐
│ │ Prototype pollution attack │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name │ hoek │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS │ 4 (Medium) │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed │ 2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path │ lockbox@0.1.9-alpha > lockbox-datastore@0.2.1 > joi@13.3.0 > │
│ │ hoek@2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/566 │
└────────────┴────────────────────────────────────────────────────────────────────┘
┌────────────┬────────────────────────────────────────────────────────────────────┐
│ │ Prototype pollution attack │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name │ hoek │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS │ 4 (Medium) │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed │ 2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path │ lockbox@0.1.9-alpha > lockbox-datastore@0.2.1 > joi@13.3.0 > │
│ │ topo@1.1.0 > hoek@2.16.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/566 │
└────────────┴────────────────────────────────────────────────────────────────────┘However, the production dependency on hoek resolves to version 5.0.3 (lockbox-datastore@0.2.1 -> joi@13.3.0 -> hoek@5.0.3).
As much as I'd rather not, at this point I think we might have to disable nsp check ...
linuxwolf
commented
6 years ago @mozilla-lockbox/desktop-engineering (@devinreams )
This latest update still runs nsp check but ignores it's return code and lets things continue. Not what we'd really want, gets us over this hump. Will need to follow up with updates to those upstream dependencies as appropriate.