search

transloadit / uppy-server

[DEPRECATED] 'Uppy Server' was renamed to 'Companion' and lives inside the Uppy repo no
https://github.com/transloadit/uppy/tree/master/packages/%40uppy/companion
MIT License
114 stars 27 forks source link

SECURITY: Vulnerability in transient dependency #70

Closed manuelkiessling closed 6 years ago

manuelkiessling commented 6 years ago

Here is the output of NSP:

yarn run nsp check
yarn run v1.3.2
$ /.bin/nsp check
(+) 1 vulnerability found
┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Prototype pollution attack                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ hoek                                                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 4 (Medium)                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 2.16.3                                                             │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                        │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ redacted > uppy-server@0.11.1 >                  │
│            │ grant-express@3.8.0 > grant@3.8.0 > request@2.81.0 > hawk@3.1.3 >  │
│            │ hoek@2.16.3                                                        │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/566                             │
└────────────┴────────────────────────────────────────────────────────────────────┘

Also see simov/grant/issues/86 for the issue in the project which can actually fix the problem.

ifedapoolarewaju commented 6 years ago

@manuelkiessling thank you for reporting this. I'll look into it.

simov commented 6 years ago

:wave: I've resolved the security issue in Grant v4, so all you need to do is bump the version here. Also check out the changelog. Migration should be pretty straightforward.

Let me know if you have any issues!

ifedapoolarewaju commented 6 years ago

@simov I did run into an issue after upgrading to Grant 4. See here

simov commented 6 years ago

Fixed in version 4.0.1 :tada:

ifedapoolarewaju commented 6 years ago

upgraded, thanks for all the input in this 😉

manuelkiessling commented 6 years ago

@ifedapoolarewaju and @simov, thank you so much for doing such an awesome job for all of us, highly appreciated!