search

strongloop / strong-supervisor

Application supervisor that automatically adds cluster control and performance monitoring with StrongOps
Other
66 stars 20 forks source link

Upgrade `appmetrics` to latest version #235

Open hsandovalskytap opened 5 years ago

hsandovalskytap commented 5 years ago

Hello,

recently we noticed there is a security vulnerability in node-tar which is being used by one of your dependencies, appmetrics

└─┬ strong-supervisor@6.2.0 └─┬ appmetrics@3.1.3 └── tar@2.2.1

appmetrics has already addressed the problem but you would need to upgrade to the latest version, appmetrics@4.0.1.

Could you help us out upgrading appmetrics to the latest version?

sam-github commented 5 years ago

I'm not sure who is maintaining this anymore. That said:

  1. test don't pass with appmetrics@4. This could be related to appmetrics, or not, and it doesn't have a changelog (that I found).
  2. the vulnerabilities in node-tar are irrelevant to appmetrics. The vulnnerability affects using node-tar to untar user-provided tarballs (which could have poison data). Appmetrics uses tar only sometimes, and always to untar tarballs that are part of its distribution.
scottbrady commented 5 years ago

Hello! Is there an ETA to remediate the advisory on this package? npm/yarn audit is showing a vulnerability for this package's dependency.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ strong-supervisor                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ strong-supervisor > appmetrics > tar                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/803                         │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ strong-supervisor                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ strong-supervisor > appmetrics-dash > appmetrics > tar       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/803                         │
└───────────────┴──────────────────────────────────────────────────────────────┘

Thanks!

smartmouse commented 4 years ago

yes, can we upped to appmetrics dependencies to latest version which is 5.x? Got into some issues with installing the appmetrics@3.x on windows.