Closed caub closed 6 years ago
+1. Just ran into this issue.
+1. Encountering same, security report advise update to 0.5.1 or higher will resolve but I still get the same issue.
+1
+1
I still have the same problem even after upgrading to the new released version ("version": "0.5.1",)
Me too, with GULP.
Just hit this with my React TypeScript app. Vulnerabilities: deep-extend: 9
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts-ts [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Tried manually installing/updating deep-extend
to 0.5.1
to no avail. Tried my old pacakge.json
with no luck. Afraid to publish (GH-Pages; Travis CI) based on what the hoek
dependency did a few weeks back.
Edit: When I upgraded to react-scripts-ts@3.0.0
, the number of deep-extend
vulnerabilities went from 11 down to 9 (and all the randomatic
vulnerabilities resolved).
Same security issue using nodemon
:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.5.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nodemon > chokidar > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
This was fixed in #40
There is a PR outstanding for rc
https://github.com/dominictarr/rc/pull/103
Ugh. @unclechu Any idea why this is still showing up as a vulnerability?
@rob-orr No, I don't. I'm actually not very in touch with javascript world these days. So I'd expect someone else to write a test that reproduces it and then I could fix it.
+1
@caub @rob-orr I've tested it by new npm audit
command and it detected vulnerability in mocha
package from devDependencies
, I fixed it and released with v0.6.0
, so I think it is fixed for now? Could you please check and confirm if it's okay with latest version?
P.S. As a side-effect I dropped support of older versions of node.js and io.js because they're failing on Travis-CI by those new versions of devDependencies
.
@unclechu Thanks, much appreciated! We've tested it and it is passing our scanner. Now we just need rc
and closure-loader
to update their dependencies!
@rob-orr Thank you for the response, I'm closing the issue as fixed.
Edit: It's fixed in https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703 and #40
rc
got updated: https://github.com/dominictarr/rc/commit/b63377974f60bc5207c15bc8f465e28d2c7e1945node-pre-gyp
https://github.com/mapbox/node-pre-gyp/pull/379fsevents
needs to updatenode-pre-gyp
chokidar
needs to updatefsevents
webpack-dev-server
andwatchpack
needs to updatechokidar
webpack
needs to updatewatchpack