Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump insight dependency #300

Closed
jpike88 opened this issue Aug 21, 2018 · 5 comments
Closed

Bump insight dependency #300

jpike88 opened this issue Aug 21, 2018 · 5 comments
Labels
bug

Comments

@jpike88
Copy link

@jpike88 jpike88 commented Aug 21, 2018

There is a vulnerability warning on lodash 3.10.1, which is being caused by an old version of insight. Needs bumping to eliminate that warning

@janpio janpio added the bug label Aug 21, 2018
@simonhaenisch
Copy link

@simonhaenisch simonhaenisch commented Aug 29, 2018

There are also vulnerability warnings for hoek and tunnel-agent which are dependencies of request in cordova-lib:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > boom > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > cryptiles > boom >  │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > hoek                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > sntp > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > insight > inquirer > lodash                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > tunnel-agent               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
@janpio

This comment has been hidden.

@raphinesse
Copy link
Contributor

@raphinesse raphinesse commented Aug 29, 2018

@simonhaenisch I think those are resolved already

@simonhaenisch
Copy link

@simonhaenisch simonhaenisch commented Aug 29, 2018

@raphinesse yes I just saw that the request dependency has been removed from cordova-lib.

@raphinesse
Copy link
Contributor

@raphinesse raphinesse commented Aug 30, 2018

Update: simply bumping breaks the tests. Will look into it.

raphinesse added a commit to raphinesse/cordova-cli that referenced this issue Aug 30, 2018
- To resolve the lodash warning, 0.9.0 would have sufficed.
- Because of yeoman/insight@dae6dd4
  users will be asked again whether they want data to be collected

Fixes apache#300
@dpogue dpogue closed this in #312 Aug 30, 2018
dpogue added a commit that referenced this issue Aug 30, 2018
- To resolve the lodash warning, 0.9.0 would have sufficed.
- Because of yeoman/insight@dae6dd4
  users will be asked again whether they want data to be collected

Fixes #300
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

4 participants