-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Bump fast-check to version 3 #3301
Conversation
Next target will be to leverage fast-check to detect some potential prototype poisoning in the exposed APIs before they turn into CVEs. |
The version 3 of fast-check added something very interesting for libraries such as ramda: it can more likely produce values such as `__proto__` or `toString` which are known sources for CVE. On fast-check's side, I also worked on some tooling making poisoning related issues even simpler to detect with an automatic detection for poisoning on globals. I successfully found back several past CVEs of lodash thanks to it.
@kedashoe I just updated this PR. I believe it can be useful for the project to rely on the latest version of fast-check in order to benefit from all the improvements brought by v3. It includes prototype poisoning related detection which is something that can easily strike projects such as ramda. |
Coverage Summary> ramda@0.30.0 coverage:summary
> BABEL_ENV=cjs nyc --reporter=text-summary mocha -- --reporter=min --require @babel/register
�[2J�[1;3H
1192 passing (911ms)
=============================== Coverage summary ===============================
Statements : 94.06% ( 2486/2643 )
Branches : 85.76% ( 970/1131 )
Functions : 93.28% ( 555/595 )
Lines : 94.34% ( 2332/2472 )
================================================================================ |
NOTE: I'm currently working on a version 4 of fast-check. It should not come with many breaking changes but still always to be closer to the latest release to simplify future bumps. |
ty @dubzzz sorry for missing this the first time |
No worry, I pinged you back so that it got merged. It was neither critical, nor urgent 😂 |
The version 3 of fast-check added something very interesting for libraries such as ramda: it can more likely produce values such as
__proto__
ortoString
which are known sources for CVE.On fast-check's side, I also worked on some tooling making poisoning related issues even simpler to detect with an automatic detection for poisoning on globals. I successfully found back several past CVEs of lodash thanks to it.