search

webtorrent / webtorrent-hybrid

WebTorrent (with WebRTC support in Node.js)
https://webtorrent.io
MIT License
519 stars 98 forks source link

Vulnerabilities found after install of webtorrent-hybrid #98

Closed imtase closed 5 years ago

imtase commented 5 years ago

After install the package webtorrent-hybrid I have a security report from npm with 2 vulnerabilities. Result of the audit:

                       === npm audit security report ===                        

                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           

  Critical        Command Injection                                             

  Package         open                                                          

  Patched in      >0.0.5                                                        

  Dependency of   webtorrent-hybrid                                             

  Path            webtorrent-hybrid > webtorrent-cli > open                     

  More info       https://nodesecurity.io/advisories/663                        

  Moderate        Denial of Service                                             

  Package         protobufjs                                                    

  Patched in      >=5.0.3 < 6.0.0 || >=6.8.6                                    

  Dependency of   webtorrent-hybrid                                             

  Path            webtorrent-hybrid > webtorrent-cli > chromecasts >            
                  castv2-client > castv2 > protobufjs                           

  More info       https://nodesecurity.io/advisories/605                        

found 2 vulnerabilities (1 moderate, 1 critical) in 1873 scanned packages
  2 vulnerabilities require manual review. See the full report for details.
DhavalW commented 5 years ago

+1 got the same.

skvggor commented 5 years ago

:+1:

feross commented 5 years ago

We don't depend on open anymore, so there should be no message about that. Please ensure that you're using version 2.0.0.

feross commented 5 years ago

There is still a warning being generated for castv2:

 webtorrent-cli > chromecasts > castv2-client > castv2 > protobufjs

There's an issue on castv2 opened here: https://github.com/thibauts/node-castv2/issues

feross commented 5 years ago

Hi everyone, I have a pull request that fixes this issue but I don't have a Chromecast handy at the moment to test it out. Can someone confirm that the code in this pull request still works correctly?

https://github.com/thibauts/node-castv2/pull/56

feross commented 5 years ago

I just published a new version of castv2@0.1.10 which now fully resolves the npm audit warnings in this package! 🎉