-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dot-prop 4.2.0 still part of nodejs - security issue #1096
Comments
Being this is my first ever try to dig down something like this I am finding things out as I go. After installing LTS I am finding:
|
Trying to update this global package has zero effect.
Using the list command still shows dot-prop 4.2.0. |
After some manual removal of the dot-prop module I got the scan to not see this as an issue anymore. However, this seems to be a needed module so when re-installing it globally I run into this issue:
I am misunderstanding how this works I think. If there are some dependencies on this module how I can I ever get rid of it? Will it always be a security risk? Or more likely, I am not understanding how this works. |
Looking at the /usr/lib/node_modules/npm/node_modules/dot-prop/package.json file this still specifies 4.2.0. Not sure why this is packaged with this version of nodejs? |
Manually downloading 5.2.0 and unpacking it to /usr/lib/node_modules/npm/node_modules/dot-prop/package.json updated this from hell module but who knows if that will work. |
Ok, I ran:
It of course re-installs dot-prop 4.2.0. This MUST be a known issue? |
@dominopetter unfortunately, this is not the place to solve this issue. We only take care of packaging the binaries and distributing them, this may be the right place. |
I am going to apologize in advance if this is the wrong place to submit this issue.
Using Prisma Cloud to scan nodejs shows that module dot-prop is part of the LTS release. It specifically shows that CVE-2020-8116 - dot-prop version 4.2.0 is part of it. Now, a clean install of nodejs in a minimal docker image (For the purpose of troubleshooting this) is very confusing.
Scanning this for security issues show (using twistcli from Palo Alto Networks) shows that this contains dot-prop, CVE-2020-8116 - dot-prop version 4.2.0.
Running a simple npm ls show that this contains no modules and even upgrading/installing dot-prop to the latest version has no effect.
Is there a version of dot-prop hiding inside the nodejs install somewhere or am I dealing with a false positive here?
Thanks
Petter
The text was updated successfully, but these errors were encountered: