serverless-offline-python icon indicating copy to clipboard operation
serverless-offline-python copied to clipboard

Published 20 hours ago verified publisher icon alhazmy13

cryptiles vulnerability found for versions < 4.1.2

Open marcosfede opened this issue 6 years ago • 2 comments

Serverless-offline-python installs the cryptiles package (hapi dependency) with a know vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

marcosfede avatar Feb 25 '19 12:02 marcosfede

I am also experiencing the same issue. Running npm audit lists these vulnerabilities. Trying to run npm audit fix provides an error indicating these vulnerabilities cannot be fixed automatically.

To elaborate, the reason behind this is because the current hapi package has been moved/deprecated, and is not receiving critical updates to address these vulnerabilities. The newer version of the hapi package lives at a different address and I believe has resolved these security vulnerabilities.

I recommend updating the hapi dependency in the package.json to point to the location of the new package (@hapi/hapi).

Robospecta avatar Feb 03 '20 02:02 Robospecta

Have opened a pull request for this #17.

Robospecta avatar Feb 03 '20 03:02 Robospecta