New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2 Vulnerabilities Found: Prototype pollution attack #432

Open
maevadevs opened this Issue Apr 7, 2018 · 8 comments

Comments

Projects
None yet
4 participants
@maevadevs
Copy link

maevadevs commented Apr 7, 2018

  • [✓] I have read the list of known issues before filing this issue.
  • [✓] I have searched for similiar issues before filing this issue.
  • node version: v8.11.1
  • npm version: v5.8.0
  • npm-check-updates version: v2.14.1

  • Operating system/terminal environment: OSX 10.13.3 / Terminal & iTerm
  • Command you ran:
    • Install global nsp: npm i -g nsp
    • cd into the npm-check-updates module folder: cd [...]/.nvm/versions/node/v8.11.1/lib/node_modules/npm-check-updates
    • Run security check: nsp check

Expected behaviour

(+) No known vulnerabilities found

Actual behaviour

(+) 2 vulnerabilities found

screenshot

Prototype pollution attack
More Info │ https://nodesecurity.io/advisories/566

Steps to reproduce

  • Install global nsp: npm i -g nsp
  • cd into the npm-check-updates module folder: cd [...]/.nvm/versions/node/v8.11.1/lib/node_modules/npm-check-updates
  • Run security check: nsp check
@jkawamoto

This comment has been minimized.

Copy link

jkawamoto commented May 16, 2018

npm audit reported 80 vulnerabilities with npm-check-updates v2.14.2 for me.

This is the output: audit.txt

@NetOperatorWibby

This comment has been minimized.

Copy link

NetOperatorWibby commented Jun 15, 2018

I ran ncu -a on this repo and installed modules. Only three vulnerabilities came back and they were low priority. Why are the packages this repo uses so far out of date?

@raineorshine

This comment has been minimized.

Copy link
Collaborator

raineorshine commented Jun 15, 2018

@NetOperatorWibby I have had to focus on other projects recently. Unfortunately nobody else has contributed in a long time. ncu has a lot of users, so hopefully someone will step up. It would help a lot of people.

@NetOperatorWibby

This comment has been minimized.

Copy link

NetOperatorWibby commented Jun 15, 2018

@raineorshine I'm currently working on a fork and refactoring.

@raineorshine

This comment has been minimized.

Copy link
Collaborator

raineorshine commented Jun 15, 2018

@NetOperatorWibby Wonderful. It would be so great to incorporate your changes back into the source.

@NetOperatorWibby

This comment has been minimized.

Copy link

NetOperatorWibby commented Jun 16, 2018

@raineorshine Seems like people have been trying to help via PRs but nothing's merged.

@raineorshine

This comment has been minimized.

Copy link
Collaborator

raineorshine commented Jun 17, 2018

@NetOperatorWibby A few PR's over the last 3 years. The unmerged PR's are either waiting for the v3 milestone or needed additional work.

@NetOperatorWibby

This comment has been minimized.

Copy link

NetOperatorWibby commented Jul 9, 2018

I've abandoned my fork and started using https://www.npmjs.com/package/updates. It has less dependencies and similar usage. Still, npm-check-updates has served me well in the past, thanks for working on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment