Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2 Vulnerabilities Found: Prototype pollution attack #432

Closed
maevadevs opened this issue Apr 7, 2018 · 8 comments
Closed

2 Vulnerabilities Found: Prototype pollution attack #432

maevadevs opened this issue Apr 7, 2018 · 8 comments
Labels
Milestone

Comments

@maevadevs
Copy link

@maevadevs maevadevs commented Apr 7, 2018

  • [✓] I have read the list of known issues before filing this issue.
  • [✓] I have searched for similiar issues before filing this issue.
  • node version: v8.11.1
  • npm version: v5.8.0
  • npm-check-updates version: v2.14.1

  • Operating system/terminal environment: OSX 10.13.3 / Terminal & iTerm
  • Command you ran:
    • Install global nsp: npm i -g nsp
    • cd into the npm-check-updates module folder: cd [...]/.nvm/versions/node/v8.11.1/lib/node_modules/npm-check-updates
    • Run security check: nsp check

Expected behaviour

(+) No known vulnerabilities found

Actual behaviour

(+) 2 vulnerabilities found

screenshot

Prototype pollution attack
More Info │ https://nodesecurity.io/advisories/566

Steps to reproduce

  • Install global nsp: npm i -g nsp
  • cd into the npm-check-updates module folder: cd [...]/.nvm/versions/node/v8.11.1/lib/node_modules/npm-check-updates
  • Run security check: nsp check
@jkawamoto
Copy link

@jkawamoto jkawamoto commented May 16, 2018

npm audit reported 80 vulnerabilities with npm-check-updates v2.14.2 for me.

This is the output: audit.txt

@NetOpWibby
Copy link

@NetOpWibby NetOpWibby commented Jun 15, 2018

I ran ncu -a on this repo and installed modules. Only three vulnerabilities came back and they were low priority. Why are the packages this repo uses so far out of date?

@raineorshine
Copy link
Owner

@raineorshine raineorshine commented Jun 15, 2018

@NetOperatorWibby I have had to focus on other projects recently. Unfortunately nobody else has contributed in a long time. ncu has a lot of users, so hopefully someone will step up. It would help a lot of people.

@NetOpWibby
Copy link

@NetOpWibby NetOpWibby commented Jun 15, 2018

@raineorshine I'm currently working on a fork and refactoring.

@raineorshine
Copy link
Owner

@raineorshine raineorshine commented Jun 15, 2018

@NetOperatorWibby Wonderful. It would be so great to incorporate your changes back into the source.

@NetOpWibby
Copy link

@NetOpWibby NetOpWibby commented Jun 16, 2018

@raineorshine Seems like people have been trying to help via PRs but nothing's merged.

@raineorshine
Copy link
Owner

@raineorshine raineorshine commented Jun 17, 2018

@NetOperatorWibby A few PR's over the last 3 years. The unmerged PR's are either waiting for the v3 milestone or needed additional work.

@NetOpWibby
Copy link

@NetOpWibby NetOpWibby commented Jul 9, 2018

I've abandoned my fork and started using https://www.npmjs.com/package/updates. It has less dependencies and similar usage. Still, npm-check-updates has served me well in the past, thanks for working on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants