Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in transitive dependency underscore.string #5152

Closed
nulltoken opened this issue Feb 2, 2019 · 3 comments

Comments

@nulltoken
Copy link

commented Feb 2, 2019

Using latest version

{
  "name": "test",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "swagger-ui": "^3.20.6"
  }
}

Audit reports

$ yarn audit
yarn audit v1.12.3
+------------------------------------------------------------------------------+
¦ moderate      ¦ Regular Expression Denial of Service                         ¦
+---------------+--------------------------------------------------------------¦
¦ Package       ¦ underscore.string                                            ¦
+---------------+--------------------------------------------------------------¦
¦ Patched in    ¦ >=3.3.5                                                      ¦
+---------------+--------------------------------------------------------------¦
¦ Dependency of ¦ swagger-ui                                                   ¦
+---------------+--------------------------------------------------------------¦
¦ Path          ¦ swagger-ui > remarkable > argparse > underscore.string       ¦
+---------------+--------------------------------------------------------------¦
¦ More info     ¦ https://nodesecurity.io/advisories/745                       ¦
+------------------------------------------------------------------------------+
1 vulnerabilities found - Packages audited: 319
Severity: 1 Moderate
@shockey

This comment has been minimized.

Copy link
Member

commented Feb 7, 2019

@nulltoken, as always thanks for filing an issue!

I'm deprioritizing this based on upstream analysis (that I agree with) that this is not a realistic security concern:

Unless you are planning on attacking yourself by entering a 100k string in the terminal while running the CLI, this is not even remotely a vulnerability or security concern for remarkable.

This means that if you pass a long string (50k characters?), that might look like a date, to the remarkable cli, your experience might be degraded by about 2 seconds.

jonschlinkert/remarkable#312 (comment)

Further, for us: argparse is used in Remarkable's CLI, which is not used in Swagger UI at all. There's simply no way that this "vulnerability" could cause problems for us here.

@Racer159

This comment has been minimized.

Copy link

commented Aug 1, 2019

Just FYI, but upstream remarkable closed their issue related to this as of 10 days ago. Not too big of a deal (given the low risk of this vuln), but just wanted to make sure y'all were aware so that hopefully NPM audit can finally be happy again.

jonschlinkert/remarkable#310

@shockey

This comment has been minimized.

Copy link
Member

commented Aug 2, 2019

Indeed @Racer159, this is resolved, we grabbed the new Remarkable version in #5509.

Closing!

@shockey shockey closed this Aug 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.