security issue

[pocesar]

https://npmjs.com/advisories/758

[cript0nauta]

#21 fixes the security issue

[davidemontanari]

@substack Can you please take a look?

[nullivex]

Despite the release 4 hours ago, this remains applicable. Is that a mistake?

Im going to assume NPM has some kind of review process?

Thank you for the quick response!

[mheggeseth]

#21 fixes the security issue

Turns out it doesn't due to scoping issues. #23 is the intended fix.

[millette]

Now that #23 is merged into 2.0.2, is there another step to clear the advisory which is still in effect? I ran npm audit fix, new version was picked up, but the advisory remains.

[nullivex]

Similar behavior here!

[jrbattles]

We are experiencing the same thing. My application has to pass npm audit for regulatory compliance. please advise.

[millette]

I've run the proof on concept with 2.0.1 and the output is the whole set of environment variables. Upgrading to 2.0.2 outputs undefined instead so that's great.

First, create the index file in a new directory.

index:js:

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src = process.argv[2];
var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()'
var ast = parse(payload).body[0].expression;
console.log(evaluate(ast, {x:1}));

Then create the package file with deps (using static-eval@2.0.1 first):

cd NEW-DIR # where you created index.js
npm init -y
npm install static-eval@2.0.1 esprima
node .

Should output environment variables, which we wanted to prevent by using static-eval.

npm install static-eval@2.0.2
node .

Should only output undefined, success!

Who can update the advisory?

[joebowbeer]

Updated

[millette]

Ping; closing time :-)