search

zumwald / oss-attribution-generator

utility to parse bower and npm packages used in a project and generate an attribution file to include in your product
MIT License
37 stars 23 forks source link

Update dependencies to fix vulnverabilities introduced by debug and deep-extend #19

Open mertd opened 6 years ago

mertd commented 6 years ago

npm audit, at the time of writing, reports three known vulnverabilities for oss-attribution-generator:

review  deep-extend     low     >=0.5.1 Prototype Pollution     https://nodesecurity.io/advisories/612 oss-attribution-generator>bower-json>deep-extend
review  deep-extend     low     >=0.5.1 Prototype Pollution     https://nodesecurity.io/advisories/612 oss-attribution-generator>bower-license>bower-json>deep-extend
review  debug   low     >= 2.6.9 < 3.0.0 || >= 3.1.0    Regular Expression Denial of Service   https://nodesecurity.io/advisories/534  oss-attribution-generator>spdx-licenses>debug

However, these are all vulnverabilities with a low rating and dependencies of dependencies. In the case of Bower, development seems to have stalled and the maintainers are recommending to move to yarn, so updates here seem to be unlikely.

mertd commented 4 years ago

22 seems to be related

electrovir commented 2 years ago

I forked this repo (and partially rewrote it in TypeScript) to fix this.

https://www.npmjs.com/package/@electrovir/oss-attribution-generator