Skip to content

Adding nsp check to the build process #411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 4, 2016
Merged

Adding nsp check to the build process #411

merged 2 commits into from
Aug 4, 2016

Conversation

@hairyhenderson
Copy link
Contributor

@hairyhenderson hairyhenderson commented Jul 13, 2016

Recently there've been a few security vulnerabilities discovered in dependencies of engine.io (such as #401 and #410, among others).

This PR adds an nsp check to the test process, such that when the gulp test command is run, engine.io's dependencies are scanned for vulnerabilities by nsp.

This way, the build will fail immediately when there's a vulnerable dependency, making it obvious that the dependency's version needs updating.

Signed-off-by: Dave Henderson dhenderson@gmail.com

@hairyhenderson
Adding nsp check to the build process
7b34351 
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
@hairyhenderson
Copy link
Contributor Author

hairyhenderson commented Jul 13, 2016

So, that travis failure is kind of a good indication that this is working 😉

[18:47:37] Using gulpfile ~/build/socketio/engine.io/gulpfile.js
[18:47:37] Starting 'nsp'...
[18:47:37] 'nsp' errored after 225 ms
[18:47:37] Error in plugin 'gulp-nsp'
Message:
    (+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────┐
│               │ DoS due to excessively large websocket message        │
├───────────────┼───────────────────────────────────────────────────────┤
│ Name          │ ws                                                    │
├───────────────┼───────────────────────────────────────────────────────┤
│ Installed     │ 1.1.0                                                 │
├───────────────┼───────────────────────────────────────────────────────┤
│ Vulnerable    │ <=1.1.0                                               │
├───────────────┼───────────────────────────────────────────────────────┤
│ Patched       │ >=1.1.1                                               │
├───────────────┼───────────────────────────────────────────────────────┤
│ Path          │ engine.io@1.6.11 > ws@1.1.0                           │
├───────────────┼───────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/120                │
└───────────────┴───────────────────────────────────────────────────────┘

Guess I'll update the ws dep here too so this passes...

@hairyhenderson
Bumping ws to 1.1.1 to address https://nodesecurity.io/advisories/120
959c8be 
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
@darrachequesne darrachequesne merged commit 5301695 into socketio:master Aug 4, 2016
@darrachequesne
Copy link
Member

darrachequesne commented Aug 4, 2016

Thanks!

@hairyhenderson hairyhenderson deleted the add-nsp-check-to-build branch August 5, 2016 11:51
@darrachequesne darrachequesne added this to the 1.7.0 milestone Oct 20, 2016
darrachequesne pushed a commit that referenced this pull request May 8, 2020
@rauchg
Merge pull request #411 from johanneswuerbach/patch-2
4c28170 
ws 0.8.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.7.0

Development

Successfully merging this pull request may close these issues.

2 participants

@hairyhenderson @darrachequesne