guylepage3
commented
6 years ago +1. Just ran into this issue.
Closed caub closed 6 years ago
guylepage3
commented
6 years ago +1. Just ran into this issue.
whackdev
commented
6 years ago +1. Encountering same, security report advise update to 0.5.1 or higher will resolve but I still get the same issue.
theRealSheng
commented
6 years ago +1
ThLewis
commented
6 years ago +1
ichthub
commented
6 years ago I still have the same problem even after upgrading to the new released version ("version": "0.5.1",)
EmersonCDias
commented
6 years ago Me too, with GULP.
KDCinfo
commented
6 years ago Just hit this with my React TypeScript app. Vulnerabilities: deep-extend: 9
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts-ts [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘Tried manually installing/updating deep-extend to 0.5.1 to no avail. Tried my old pacakge.json with no luck. Afraid to publish (GH-Pages; Travis CI) based on what the hoek dependency did a few weeks back.
Edit: When I upgraded to react-scripts-ts@3.0.0, the number of deep-extend vulnerabilities went from 11 down to 9 (and all the randomatic vulnerabilities resolved).
mahdifani14
commented
6 years ago Same security issue using nodemon:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.5.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nodemon > chokidar > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
mohsen1
commented
6 years ago This was fixed in #40
There is a PR outstanding for rc
https://github.com/dominictarr/rc/pull/103
rob-orr
commented
6 years ago Ugh. @unclechu Any idea why this is still showing up as a vulnerability?
unclechu
commented
6 years ago @rob-orr No, I don't. I'm actually not very in touch with javascript world these days. So I'd expect someone else to write a test that reproduces it and then I could fix it.
guillermodoghel
commented
6 years ago +1
unclechu
commented
6 years ago @caub @rob-orr I've tested it by new npm audit command and it detected vulnerability in mocha package from devDependencies, I fixed it and released with v0.6.0, so I think it is fixed for now? Could you please check and confirm if it's okay with latest version?
P.S. As a side-effect I dropped support of older versions of node.js and io.js because they're failing on Travis-CI by those new versions of devDependencies.
rob-orr
commented
6 years ago @unclechu Thanks, much appreciated! We've tested it and it is passing our scanner. Now we just need rc and closure-loader to update their dependencies!
unclechu
commented
6 years ago @rob-orr Thank you for the response, I'm closing the issue as fixed.
Edit: It's fixed in https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703 and #40
rcgot updated: https://github.com/dominictarr/rc/commit/b63377974f60bc5207c15bc8f465e28d2c7e1945node-pre-gyphttps://github.com/mapbox/node-pre-gyp/pull/379fseventsneeds to updatenode-pre-gypchokidarneeds to updatefseventswebpack-dev-serverandwatchpackneeds to updatechokidarwebpackneeds to updatewatchpack