Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump insight dependency #300

Closed
jpike88 opened this issue Aug 21, 2018 · 5 comments · Fixed by #312
Closed

Bump insight dependency #300

jpike88 opened this issue Aug 21, 2018 · 5 comments · Fixed by #312
Labels

Comments

@jpike88
Copy link

jpike88 commented Aug 21, 2018

There is a vulnerability warning on lodash 3.10.1, which is being caused by an old version of insight. Needs bumping to eliminate that warning

@janpio janpio added the bug label Aug 21, 2018
@simonhaenisch
Copy link

simonhaenisch commented Aug 29, 2018

There are also vulnerability warnings for hoek and tunnel-agent which are dependencies of request in cordova-lib:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > boom > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > cryptiles > boom >  │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > hoek                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > hawk > sntp > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > insight > inquirer > lodash                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cordova [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cordova > cordova-lib > request > tunnel-agent               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

@janpio

This comment has been minimized.

@raphinesse
Copy link
Contributor

@simonhaenisch I think those are resolved already

@simonhaenisch
Copy link

@raphinesse yes I just saw that the request dependency has been removed from cordova-lib.

@raphinesse
Copy link
Contributor

Update: simply bumping breaks the tests. Will look into it.

raphinesse added a commit to raphinesse/cordova-cli that referenced this issue Aug 30, 2018
- To resolve the lodash warning, 0.9.0 would have sufficed.
- Because of yeoman/insight@dae6dd4b73b9
  users will be asked again whether they want data to be collected

Fixes apache#300
dpogue pushed a commit that referenced this issue Aug 30, 2018
- To resolve the lodash warning, 0.9.0 would have sufficed.
- Because of yeoman/insight@dae6dd4b73b9
  users will be asked again whether they want data to be collected

Fixes #300
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants