search

nodejs / readable-stream

Node-core streams for userland
https://nodejs.org/api/stream.html
Other
1.03k stars 229 forks source link

Facing component Governance issue #468

Closed RajaThomas closed 2 years ago

RajaThomas commented 2 years ago

Security Review (CST-E) This module is a mirror of the Node built-in StringDecoder object, and should only be used when operating on a very old version of Node or within a web- browser context. In addition, this object does not zero out memory before returning it, so it risks information disclosure.

Upgrade to an unaffected version of this component or read the review content to better understand your exposure.

package-lock.json

"readable-stream": {
                    "version": "2.3.7",
                    "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.7.tgz",
                    "integrity": "sha512-Ebho8K4jIbHAxnuxi7o42OrZgF/ZTNcsZj6nRKyUmkhLFq8CHItp/fy6hQZuZmP/n3yZ9VBUbp4zz/mX8hmYPw==",
                    "dev": true,
                    "requires": {
                        "core-util-is": "~1.0.0",
                        "inherits": "~2.0.3",
                        "isarray": "~1.0.0",
                        "process-nextick-args": "~2.0.0",
                        "safe-buffer": "~5.1.1",
                        "string_decoder": "~1.1.1",
                        "util-deprecate": "~1.0.1"
                    }
                },

string_decoder latest version is 1.3.0

Please upgrade one of dependencies(string_decoder) to latest version to resolve issue.

RajaThomas commented 2 years ago

Please provide clarification thank you

RajaThomas commented 2 years ago

@mcollina

mcollina commented 2 years ago

What clarification do you need? readable-stream is at version 3.x while you are using 2.x. You should update it.

RajaThomas commented 2 years ago

@mcollina check your latest version of package.json file there sting_decoder version is 1.1.1

benjamingr commented 2 years ago

@RajaThomas I don't know what you want from Matteo. This looks like an issue with your governance checks.

The whole point of this module is to make readable-stream usable in old versions of node and browsers..

If you want help with something relating to your company rather than the actual open source code whose impact for people not dealing with these governance checks is 0 your recourse is: