brandongregoryscott
commented
4 years ago @wintondeshong Do we know if this issue is still valid? Believe dependabot has bumped the bl version a few times, but I'm not sure if it's handled this security issue. Looks like that link is now suggesting updating to 4.0.3 or later, which I believe we just merged.
Edit: nevermind, that was actually the node-fetch dep I was thinking of https://github.com/AndcultureCode/AndcultureCode.Cli/pull/106
https://github.com/AndcultureCode/AndcultureCode.Cli/network/alert/package-lock.json/bl/open
Remediation Upgrade bl to version 0.9.5 or later. For example:
"dependencies": { "bl": ">=0.9.5" } or… "devDependencies": { "bl": ">=0.9.5" }
Details WS-2018-0074 moderate severity Vulnerable versions: < 0.9.5 Patched version: 0.9.5 Versions of bl before 0.9.5 and 1.0.1 are vulnerable to memory exposure.
bl.append(number) in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory