Closed dvasilen closed 3 years ago
Thanks for the report, and sorry for the delay. In the future, for more reliable service you can email security@rstudio.com with vulnerability reports.
We recently released Shiny Server v1.15, which includes Node.js v12.19.0, but it looks like that version doesn't have the fix for the first CVE (I don't understand the second one, the description doesn't match the file in question, and the kind-of package is not part of anything we ship).
Fortunately, these vulnerabilities should not affect Shiny Server; they are subdependencies of npm, which is used only to build our product, not to run it. You can confirm this by deleting the directory /opt/shiny-server/ext/node/lib/node_modules/npm and seeing that the product still works (I've only tested this briefly so I can't recommend doing this in production without doing your own testing).
I've just updated to Node.js v12.20.0 (which has a fixed dot-prop version) on master, look for Shiny Server 1.5.16.955 to appear soon on https://dailies.rstudio.com.
@jcheng5
The scans for the RStudio Shiny Server 1.5.14.948 show 2 high severity vulnerabilities for the open source components CVE-2020-8116 and CVE-2019-20149.
Are there plans to address these in the new version of the server and what is the ETA?