Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some vulnerabilities in dependency of jpush-async #58

Closed
jackywxd opened this issue Feb 2, 2019 · 5 comments
Closed

Some vulnerabilities in dependency of jpush-async #58

jackywxd opened this issue Feb 2, 2019 · 5 comments

Comments

@jackywxd
Copy link
Contributor

jackywxd commented Feb 2, 2019

Some dependency of jpush-async required to update to fix security vulnerabilities. Please see below output of 'npm audit' in a project which is using jpush-async. So basically packages request and debug need to be updated to the latest version.

Thanks!
Jacky

=== npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jpush-async │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jpush-async > request > hawk > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jpush-async │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jpush-async > request > hawk > cryptiles > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jpush-async │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jpush-async > request > hawk > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jpush-async │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jpush-async > request > hawk > sntp > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jpush-async │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jpush-async > request > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jpush-async │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jpush-async > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534
└───────────────┴──────────────────────────────────────────────────────────────┘
found 6 vulnerabilities (1 low, 5 moderate) in 32897 scanned packages
6 vulnerabilities require manual review. See the full report for details.
@ghost
Copy link

ghost commented Feb 13, 2019

Just for jpush-async, it make sense, since the version is high originally.
Cause I am not a pro on nodejs, can you please fire a pull request for it

@jackywxd jackywxd mentioned this issue Feb 19, 2019
Merged
@ghost
Copy link

ghost commented Feb 20, 2019

Have you ever tested this?

@jackywxd
Copy link
Contributor Author

Yes, all test passed.

jpush-async@4.0.1 test /Users/jackywu/Projects/jpush-api-nodejs-client
mocha -t 50000 --reporter spec

(node:64049) [DEP0006] DeprecationWarning: child_process: options.customFds option is deprecated. Use options.stdio instead.

PushPayload test
✓ platform test1
✓ platform test2
✓ platform test3
✓ audience test1
✓ audience test2
✓ audience test2
✓ message test1
✓ message test2
✓ options test1
✓ notification test1
✓ notification test2
✓ notification test3
✓ ios length validate fail test
✓ ios length validate success test
✓ ios length validate fail1 test
✓ ios length validate fail2 test
✓ ios length validate success test

Push test
✓ Alert all test (1008ms)
◦ Push platform test1: got resultwww,tag1,tag2
✓ Push platform test1 (607ms)
✓ Push platform test2 (605ms)
✓ Push tags test (629ms)
✓ Push tags more test (609ms)
◦ Push alias test: got result[object Object]
✓ Push alias test (620ms)
◦ Push alias more test: got result[object Object]
✓ Push alias more test (667ms)
◦ Push tag_and test: got resultasdasdasdtag4,www,tag1,tag2
✓ Push tag_and test (632ms)
✓ Push registration_id test (731ms)
✓ Push registration_id more test (828ms)
✓ Push android (845ms)
✓ Push android full (775ms)
✓ Push message test (611ms)
✓ Push message test2 (578ms)
✓ Push notification and message (575ms)
✓ Options test1 (572ms)
✓ validate test1 (573ms)

34 passing (12s)

@jackywxd
Copy link
Contributor Author

After upgrade the version of dependencies, below is the "npm audit" report.

=== npm audit security report ===

Run npm install --save-dev mocha@6.0.0 to resolve 2 vulnerabilities

SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mocha > glob > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Command Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mocha > growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/146
└───────────────┴──────────────────────────────────────────────────────────────┘

found 2 vulnerabilities (1 high, 1 critical) in 575 scanned packages
2 vulnerabilities require semver-major dependency updates.

So still there are two vulnerabilities, but these are dev dependency, I will leave it for your decision whether to fix it.

@ghost
Copy link

ghost commented Apr 22, 2019

thank you for your hard working

@ghost ghost closed this as completed Apr 22, 2019
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jackywxd