Using outdated dependency flags dependency confusion attack [PR available]

nodejs / import-in-the-middle

Like `require-in-the-middle`, but for ESM import

https://www.npmjs.com/package/import-in-the-middle

Apache License 2.0

72 stars 27 forks source link

Using outdated dependency flags dependency confusion attack [PR available] #71

Open jackwhelpton opened 7 months ago

jackwhelpton commented 7 months ago

Expected Behavior

Prior to v1.9.0, acorn-import-attributes (then called acorn-import-assertions) used an implicit/not fully qualified reference to a dependency (test262).

This causes security scanning tools to flag a possible dependency confusion attack.

Actual Behavior

No security warning

Steps to Reproduce the Problem

Run security scan (e.g. Orca) on code using this repo

Specifications

Version: 1.7.3
Platform: (all)
Subsystem: (all)

jackwhelpton commented 7 months ago

I've raised a PR https://github.com/DataDog/import-in-the-middle/pull/70 that should resolve this, let me know what it would take to get this merged. My first contribution to this repo, so be gentle/let me know if edits are required.

trentm commented 6 months ago

Now that #70 is merged and 1.7.4 is released, I believe this can be closed?