Skip to content

/ cordova-cli

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump insight dependency #300

Closed
jpike88 opened this issue Aug 21, 2018 · 5 comments
Closed

Bump insight dependency #300

jpike88 opened this issue Aug 21, 2018 · 5 comments
Labels
bug

Comments

@jpike88
Copy link

@jpike88 jpike88 commented Aug 21, 2018
edited

There is a vulnerability warning on lodash 3.10.1, which is being caused by an old version of insight. Needs bumping to eliminate that warning
@janpio janpio added the bug label Aug 21, 2018
@simonhaenisch
Copy link

@simonhaenisch simonhaenisch commented Aug 29, 2018
edited

There are also vulnerability warnings for hoek and tunnel-agent which are dependencies of request in cordova-lib:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > boom > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > cryptiles > boom >  │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > hoek                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > sntp > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > insight > inquirer > lodash                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > tunnel-agent               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
@janpio

This comment has been hidden.

Sign in to view
@raphinesse
Copy link
Contributor

@raphinesse raphinesse commented Aug 29, 2018

@simonhaenisch I think those are resolved already
@simonhaenisch
Copy link

@simonhaenisch simonhaenisch commented Aug 29, 2018

@raphinesse yes I just saw that the request dependency has been removed from cordova-lib.
@raphinesse
Copy link
Contributor

@raphinesse raphinesse commented Aug 30, 2018

Update: simply bumping breaks the tests. Will look into it.
raphinesse added a commit to raphinesse/cordova-cli that referenced this issue Aug 30, 2018
@raphinesse
Update `insight` to resolve `npm audit` warning
Loading status checks…
2e12690 
- To resolve the lodash warning, 0.9.0 would have sufficed.
- Because of yeoman/insight@dae6dd4
  users will be asked again whether they want data to be collected

Fixes apache#300
@raphinesse raphinesse mentioned this issue Aug 30, 2018
Merged
@dpogue dpogue closed this in #312 Aug 30, 2018
dpogue added a commit that referenced this issue Aug 30, 2018
@raphinesse @dpogue
Update `insight` to resolve `npm audit` warning
Loading status checks…
2aca200 
- To resolve the lodash warning, 0.9.0 would have sufficed.
- Because of yeoman/insight@dae6dd4
  users will be asked again whether they want data to be collected

Fixes #300
@brodybits brodybits mentioned this issue Sep 21, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

Update dependencies
4 participants
@janpio @raphinesse @simonhaenisch @jpike88