Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Current version of the levelup dependency for this project has a known security vulnerability #13

Open
jgw96 opened this issue Feb 23, 2018 · 12 comments
Open

Current version of the levelup dependency for this project has a known security vulnerability #13

jgw96 opened this issue Feb 23, 2018 · 12 comments

Comments

@jgw96
Copy link

jgw96 commented Feb 23, 2018

A user opened an issue on our repo about the semver package having a security vulnerability ionic-team/stencil#568. After researching it we found that this was coming from a very old version of the levelup package that browserify-fs relies on.
securityissue
@jgw96 jgw96 mentioned this issue Feb 23, 2018
Closed
@brettz9
Copy link

brettz9 commented May 10, 2018

Is this something you expect you might have an ETA for a fix for or is the project abandoned?

@brettz9 brettz9 mentioned this issue May 10, 2018
Open
@calvinmetcalf
Copy link

so the actual issue is about updating levelup to version 2.0.0, a pull request doing so and making sure the tests pass would go a long way to helping this be resolved

@calvinmetcalf
Copy link

actually I take it back, updating it to 0.19.1 would probably do the trick

@oBusk
Copy link

oBusk commented Jun 6, 2018
edited
Loading

Updating levelup@0.19.1 will fix CVE-2015-8855 (patched in semver@>=4.3.2) but not Memory exposure in bl (patched in bl@>=0.9.5 <1.0.0 || >=1.0.1).

levelup@>=1.0.0 Is without any issues.

@eight04 eight04 mentioned this issue Jun 30, 2018
Open
@eliamaino-fp eliamaino-fp mentioned this issue Aug 29, 2018
Merged
@microshine
Copy link

I've got the same security notification

└─┬ rollup-plugin-node-builtins@2.1.2
  └─┬ browserify-fs@1.0.0
    └─┬ levelup@0.18.6
      └── semver@2.3.2

image

@awmottaz
Copy link

Any progress on this?

@mroderick
Copy link

Ping @mafintosh: will you consider the #15 PR, so we can get the ball rolling on fixing the security warnings in people's repositories?

@mafintosh
Copy link
Owner

mafintosh commented Nov 18, 2018 via email

@brettz9
Copy link

brettz9 commented Nov 19, 2018

If it's just a question of pulling for this update and possibly any future such ones (at least clear-cut ones like this), I could sign on (brettz9 on npm as well).

@brettz9
Copy link

brettz9 commented Nov 28, 2018
edited
Loading

Another issue that someone can hopefully address is that the current version of the dependency level-filesystem (1.2.0) has an outdated dependency chain of level-sublevel (5.2.3) -> xtend (2.0.6) -> object-keys (version 0.2.0, a deprecated version); see mafintosh/level-filesystem#9

@jdalrymple
Copy link

Any updates with this?

@vladimyr vladimyr mentioned this issue Nov 10, 2019
Open
@vladimyr
Copy link

Ping @mafintosh: will you consider the #15 PR, so we can get the ball rolling on fixing the security warnings in people's repositories?

@mroderick I just made another PR (#24) with main differences being compared to #15 are that it is ready and it does not require browser testing/karma instead it uses spec compliant fake-indexeddb mock inside node/jest environment. I did not upgrade any dependencies but it can still be used as solid base for future security fixes.

/cc @mafintosh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@brettz9 @mroderick @mafintosh @calvinmetcalf @vladimyr @jdalrymple @microshine @jgw96 @oBusk @awmottaz