Skip to content
This repository has been archived by the owner on Dec 6, 2018. It is now read-only.

security Issue with bl #114

Closed
scenaristeur opened this issue May 10, 2018 · 6 comments
Closed

security Issue with bl #114

scenaristeur opened this issue May 10, 2018 · 6 comments

Comments

@scenaristeur
Copy link

Hi, the new version npm tell me there is a security issue :

                   === npm audit security report ===                        
                                                                            
                                                                            
                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance

Moderate Memory Exposure

Package bl

Patched in >=0.9.5 <1.0.0 || >=1.0.1

Dependency of level-sublevel

Path level-sublevel > levelup > bl

More info https://nodesecurity.io/advisories/596

[!] 1 vulnerability found - Packages audited: 498 (0 dev, 0 optional)
Severity: 1 Moderate
@scenaristeur scenaristeur changed the title security Issue with b1 security Issue with bl May 10, 2018
@dominictarr
Copy link
Owner

it depends on some stuff in an old version of level, which pulls in bl at an old version. I don't think it would actually be possible to exploit this vulnerability via level-sublevel, and doing the work to update (with tests passing) just to make a warning disappear isn't worth it (since I'm not writing new code that uses level-sublevel anymore) but if you care to make a PR I'd be happy to merge.

@aral
Copy link

aral commented May 26, 2018

@dominictarr Just out of curiosity, what are you using these days for the same functionality without level-sublevel as a dependency? :)

@aral aral mentioned this issue May 26, 2018
Open
@aral
Copy link

aral commented May 26, 2018

Answering my own question from the previous comment: https://github.com/flumedb/

(See Level/community#14 (comment))

@dominictarr
Copy link
Owner

tl;dr is that flume is more flexible with respect to the index designs that can be used, and (also very important) it has much better support for upgrading indexes. For example, if you changed the encoding used in a index, you just bump the index version, and it automatically regenerates the index at startup.

@mkj28
Copy link

mkj28 commented Jun 2, 2018

@dominictarr thanks for the writeup!

but we also got hit by this on vulnerability scans

@dominictarr
Copy link
Owner

as I said, I'd be happy to merge a PR that fixes this, but fixing this myself isn't worth my time just to remove a false positive from some security scan thing.

@ryanblock ryanblock mentioned this issue Jun 12, 2018
Closed
This was referenced Jun 30, 2018
Open
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aral @dominictarr @mkj28 @scenaristeur