Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

found 1 high severity vulnerability: decompress #271

Closed
jamer007 opened this issue Feb 26, 2020 · 5 comments · Fixed by #274
Closed

found 1 high severity vulnerability: decompress #271

jamer007 opened this issue Feb 26, 2020 · 5 comments · Fixed by #274
Labels
bug

Comments

@jamer007
Copy link

Versions

  • NodeJS: 12.13.1
  • mongodb-memory-server-*: 6.2.4
  • mongodb: 6.2.2
  • system: MacOS

package: mongo-memory-server-core

What is the Problem?

Decompress package is flagged as high severity vulnerability

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
                                Manual Review                                 
            Some vulnerabilities require your attention to resolve            
                                                                              Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
 High           Arbitrary File Write                                         
├───────────────┼──────────────────────────────────────────────────────────────┤
 Package        decompress                                                   
├───────────────┼──────────────────────────────────────────────────────────────┤
 Patched in     No patch available                                           
├───────────────┼──────────────────────────────────────────────────────────────┤
 Dependency of  mongodb-memory-server [dev]                                  
├───────────────┼──────────────────────────────────────────────────────────────┤
 Path           mongodb-memory-server > mongodb-memory-server-core >         
                decompress                                                   
├───────────────┼──────────────────────────────────────────────────────────────┤
 More info      https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
@jamer007 jamer007 added the bug label Feb 26, 2020
@hasezoey
Copy link
Member

decompress didnt got an update since 2017, and i only found one alternative, tar-stream

@nodkz should we switch to that instead of decompress?

@nodkz
Copy link
Collaborator

nodkz commented Feb 27, 2020

Sure!!!

If somebody can send PR it will be nice! I'm in business trip right now and can do it myself only in the next week!

@hasezoey
Copy link
Member

hasezoey commented Feb 27, 2020
edited
Loading

@nodkz i will probably try it, after the logging change got merged to better debug it (#270)

@nicchunglow nicchunglow mentioned this issue Mar 2, 2020
Open
@jeroen-plug jeroen-plug mentioned this issue Mar 6, 2020
Merged
@carnun
Copy link

carnun commented Mar 17, 2020

Any chance to get the PR merged in? I see there are some conflict that are still unresolved.

@nodkz
Copy link
Collaborator

nodkz commented Mar 19, 2020

Fixed in 6.4.1
Thanks to @jeroen-plug

@jenoosia jenoosia mentioned this issue Mar 20, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor(MongoBinaryDownloads): Replace decompress
4 participants
@nodkz @carnun @jamer007 @hasezoey