search

postmanlabs / newman

Newman is a command-line collection runner for Postman
https://www.postman.com
Apache License 2.0
6.86k stars 1.16k forks source link

jose dependency is vulnerable moderate #3238

Open filoucrackeur opened 3 months ago

filoucrackeur commented 3 months ago

Hello,

yarn audit show this output jose dependency is vulnerable is it possible to upgrade or replace it ?

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ moderate │ jose vulnerable to resource exhaustion via specifically │ │ │ crafted JWE with compressed plaintext │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ jose │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.15.5 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ newman │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ newman > postman-runtime > jose │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1096835

thetumper commented 2 months ago

https://github.com/advisories/GHSA-hhhv-q57g-882q

lucas-implanta commented 1 month ago

Do we have news here? It's annoying to manually set overrides while using newman cli in our project.

maicodio commented 1 week ago

We can workaround it by using the version 6.2.0 of newman. It uses the postman-runtime@7.41.2 which uses jose@5.6.3 that doesn't have the vulnerability.