search

washingtonpost / ArcAds

ArcAds is a DFP wrapper created by Arc XP with publishers in mind.
https://www.npmjs.com/package/arcads
MIT License
57 stars 42 forks source link

Security Vulnerability report requiring manual review with esdoc > minimist #63

Closed JackHowa closed 4 years ago

JackHowa commented 4 years ago

Expected Behavior

Actual Behavior

────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ arcads                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ arcads > esdoc > marked                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/812                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ arcads                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ arcads > esdoc-standard-plugin > esdoc-publish-html-plugin > │
│               │ marked                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/812                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ arcads                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ arcads > esdoc > minimist                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────

Steps to Reproduce the Behavior

https://www.npmjs.com/advisories/1179

Additional Comments

JackHowa commented 4 years ago

Looks like might need to move to use a fork of the unmaintained esdoc. Seems as though esdoc2 would satisfy requirement https://github.com/esdoc2/esdoc2/blob/master/package.json#L55 of 1.2.5 for minimist via https://github.com/esdoc/esdoc/issues/556

JackHowa commented 4 years ago

long-term docusauras may be a good replacement https://github.com/facebook/docusaurus/issues?q=is%3Aissue+is%3Aopen+esdoc

it seems pretty active https://nodejs.libhunt.com/compare-esdoc-vs-docusaurus

JackHowa commented 4 years ago

this seems like it may soon be deprecated. not sure of priority