New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump insight dependency #300

Closed
jpike88 opened this Issue Aug 21, 2018 · 5 comments

Comments

Projects
None yet
4 participants
@jpike88

jpike88 commented Aug 21, 2018

There is a vulnerability warning on lodash 3.10.1, which is being caused by an old version of insight. Needs bumping to eliminate that warning

@janpio janpio added the bug label Aug 21, 2018

@simonhaenisch

This comment has been minimized.

simonhaenisch commented Aug 29, 2018

There are also vulnerability warnings for hoek and tunnel-agent which are dependencies of request in cordova-lib:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > boom > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > cryptiles > boom >  │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > hoek                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > sntp > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > insight > inquirer > lodash                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > tunnel-agent               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
@janpio

This comment was marked as outdated.

Contributor

janpio commented Aug 29, 2018

Thanks @simonhaenisch, could you also report this over at https://github.com/apache/cordova-lib/issues so it doesn't get lost please? Thanks.

@raphinesse

This comment has been minimized.

Contributor

raphinesse commented Aug 29, 2018

@simonhaenisch I think those are resolved already

@simonhaenisch

This comment has been minimized.

simonhaenisch commented Aug 29, 2018

@raphinesse yes I just saw that the request dependency has been removed from cordova-lib.

@raphinesse

This comment has been minimized.

Contributor

raphinesse commented Aug 30, 2018

Update: simply bumping breaks the tests. Will look into it.

raphinesse added a commit to raphinesse/cordova-cli that referenced this issue Aug 30, 2018

Update `insight` to resolve `npm audit` warning
- To resolve the lodash warning, 0.9.0 would have sufficed.
- Because of yeoman/insight@dae6dd4
  users will be asked again whether they want data to be collected

Fixes apache#300

@dpogue dpogue closed this in #312 Aug 30, 2018

dpogue added a commit that referenced this issue Aug 30, 2018

Update `insight` to resolve `npm audit` warning
- To resolve the lodash warning, 0.9.0 would have sufficed.
- Because of yeoman/insight@dae6dd4
  users will be asked again whether they want data to be collected

Fixes #300
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment