search

yui / yogi

Command Line Helper for YUI
http://yui.github.com/yogi/
Other
31 stars 36 forks source link

Update express and request module versions in package.json #100

Closed pdehaan closed 10 years ago

pdehaan commented 10 years ago

It looks like you're using an older version of the request module which has a vulnerable version of qs (see advisory).

/package.json:20

Plus it looks like you're using an older 2.x version of Express, see https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting

Steps to reproduce

# $ npm i nsp -g
$ git clone git@github.com:yui/yogi.git
$ npm install
$ npm shrinkwrap --dev
wrote npm-shrinkwrap.json

$ nsp shrinkwrap
Name     Installed  Patched  Vulnerable Dependency
connect    2.6.0    >=2.8.1  yogi > combohandler > express
qs         0.5.1     >= 1.x  yogi > combohandler > express > connect
connect    2.7.5    >=2.8.1  yogi > express
qs         0.5.1     >= 1.x  yogi > express > connect
qs         0.6.6     >= 1.x  yogi > git-travis > travis-ci > request
connect    1.9.2    >=2.8.1  yogi > grover > express
qs         0.4.2     >= 1.x  yogi > grover > express
qs         0.6.6     >= 1.x  yogi > request
qs         0.6.6     >= 1.x  yogi > yeti > request
marked     0.2.10   >=0.3.1  yogi > yuidocjs

The relevant lines are:

Name Installed Patched Vulnerable Dependency
connect 2.7.5 >=2.8.1 yogi > express
qs 0.6.6 >= 1.x yogi > request

All the other results seem to be vulnerabilities in sub-dependencies, although you may be able to solve it by updating some of the outdated dependencies:

$ npm outdated --depth 0 | sort
Package               Current  Wanted  Latest  Location
combohandler            0.2.0   0.2.0   0.4.0  combohandler
cpr                     0.0.6   0.0.6   0.3.2  cpr
editor                  0.0.6   0.0.6   0.1.0  editor
express                 3.1.2   3.1.2   4.8.2  express
istanbul               0.1.37  0.1.37   0.3.0  istanbul
jshint                  0.9.1   0.9.1   2.5.2  jshint
mkdirp                  0.3.5   0.3.5   0.5.0  mkdirp
nopt                   1.0.10  1.0.10   3.0.1  nopt
osenv                   0.0.3   0.0.3   0.1.0  osenv
promises-aplus-tests    1.3.2   1.3.2   2.0.4  promises-aplus-tests
request                2.21.0  2.21.0  2.40.0  request
rimraf                  2.1.4   2.1.4   2.2.8  rimraf
shifter                 0.4.6   0.4.6   0.5.0  shifter
treeify                 0.2.0   0.2.0   1.0.1  treeify
win-spawn               1.1.2   1.1.2   2.0.0  win-spawn
yui-lint                0.1.4   0.1.4   0.2.0  yui-lint
caridy commented 10 years ago

This is a build tool, it doesn't serve production traffic, and it uses the server internally to serve the docs during development.