search

strongloop / loopback-component-storage

Storage component for LoopBack.
Other
130 stars 155 forks source link

npm audit security report #265

Closed NilsFrkal closed 6 years ago

NilsFrkal commented 6 years ago

Security report shows the following 6 vulnerabilities (1 low, 3 moderate, 1 high, 1 critical) for loopback-component-storage@3.5.0

Critical Command Injection

Package growl

Patched in >=1.10.2

Dependency of loopback-component-storage

Path loopback-component-storage > pkgcloud > liboneandone > mocha

growl

More info https://nodesecurity.io/advisories/146

High Regular Expression Denial of Service

Package minimatch

Patched in >=3.0.2

Dependency of loopback-component-storage

Path loopback-component-storage > pkgcloud > liboneandone > mocha

glob > minimatch

More info https://nodesecurity.io/advisories/118

Moderate Out-of-bounds Read

Package base64url

Patched in >=3.0.0

Dependency of loopback-component-storage

Path loopback-component-storage > pkgcloud > gcloud > gapitoken > jws > base64url

More info https://nodesecurity.io/advisories/658

Moderate Out-of-bounds Read

Package base64url

Patched in >=3.0.0

Dependency of loopback-component-storage

Path loopback-component-storage > pkgcloud > gcloud > gapitoken > jws > jwa > base64url

More info https://nodesecurity.io/advisories/658

Moderate Denial of Service

Package protobufjs

Patched in >=5.0.3 < 6.0.0 || >=6.8.6

Dependency of loopback-component-storage

Path loopback-component-storage > pkgcloud > gcloud > protobufjs

More info https://nodesecurity.io/advisories/605

Low Regular Expression Denial of Service

Package debug

Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0

Dependency of loopback-component-storage

Path loopback-component-storage > pkgcloud > liboneandone > mocha

debug

More info https://nodesecurity.io/advisories/534

found 6 vulnerabilities (1 low, 3 moderate, 1 high, 1 critical) 6 vulnerabilities require manual review. See the full report for details. Copy+paste the output of these two commands: node -e 'console.log(process.platform, process.arch, process.versions.node)' npm ls --prod --depth 0 | grep loopback -->

dhmlau commented 6 years ago

@NilsFrkal , the vulnerabilities are coming from one of our dependencies pkgcloud. This module automatically picks up the latest version of pkgcloud which was released recently, however, it does not fix all the vulnerabilities.

cross-posting comment from @virkt25 in https://github.com/strongloop/loopback-component-storage/issues/246#issuecomment-389191909:

If they fix it and release a minor / patch version we'll pick up the changes automatically. Otherwise we can fix it by updating to the major release.

NilsFrkal commented 6 years ago

Thank you. Closing this with reference to https://github.com/strongloop/loopback-component-storage/issues/246#issuecomment-389191909