Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2 Vulnerabilities Found: Prototype pollution attack #432

Closed
maevadevs opened this issue Apr 7, 2018 · 8 comments
Closed

2 Vulnerabilities Found: Prototype pollution attack #432

maevadevs opened this issue Apr 7, 2018 · 8 comments
Labels
bug
Milestone
v3

Comments

@maevadevs
Copy link

  • [✓] I have read the list of known issues before filing this issue.
  • [✓] I have searched for similiar issues before filing this issue.
  • node version: v8.11.1
  • npm version: v5.8.0
  • npm-check-updates version: v2.14.1
  • Operating system/terminal environment: OSX 10.13.3 / Terminal & iTerm
  • Command you ran:
    • Install global nsp: npm i -g nsp
    • cd into the npm-check-updates module folder: cd [...]/.nvm/versions/node/v8.11.1/lib/node_modules/npm-check-updates
    • Run security check: nsp check

Expected behaviour

(+) No known vulnerabilities found

Actual behaviour

(+) 2 vulnerabilities found

screenshot

Prototype pollution attack
More Info │ https://nodesecurity.io/advisories/566

Steps to reproduce

  • Install global nsp: npm i -g nsp
  • cd into the npm-check-updates module folder: cd [...]/.nvm/versions/node/v8.11.1/lib/node_modules/npm-check-updates
  • Run security check: nsp check
@jkawamoto
Copy link

npm audit reported 80 vulnerabilities with npm-check-updates v2.14.2 for me.

This is the output: audit.txt

@NetOpWibby
Copy link

I ran ncu -a on this repo and installed modules. Only three vulnerabilities came back and they were low priority. Why are the packages this repo uses so far out of date?

@raineorshine
Copy link
Owner

@NetOperatorWibby I have had to focus on other projects recently. Unfortunately nobody else has contributed in a long time. ncu has a lot of users, so hopefully someone will step up. It would help a lot of people.

@NetOpWibby
Copy link

@raineorshine I'm currently working on a fork and refactoring.

@raineorshine
Copy link
Owner

@NetOperatorWibby Wonderful. It would be so great to incorporate your changes back into the source.

@NetOpWibby
Copy link

@raineorshine Seems like people have been trying to help via PRs but nothing's merged.

@raineorshine
Copy link
Owner

@NetOperatorWibby A few PR's over the last 3 years. The unmerged PR's are either waiting for the v3 milestone or needed additional work.

@NetOpWibby
Copy link

I've abandoned my fork and started using https://www.npmjs.com/package/updates. It has less dependencies and similar usage. Still, npm-check-updates has served me well in the past, thanks for working on it.

@raineorshine raineorshine mentioned this issue Sep 23, 2018
Closed
2 tasks
@raineorshine raineorshine added this to the 3.0.0 milestone Jan 28, 2019
@mationai mationai mentioned this issue Mar 2, 2019
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v3
Development

No branches or pull requests
4 participants
@raineorshine @NetOpWibby @jkawamoto @maevadevs