node.flow
node.flow copied to clipboard
dreamerslab
Fix security issue https://npmjs.com/advisories/781
Should fix this, which just popped up today.
│ Moderate │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node.extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.1.7 <2.0.0 || >= 2.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rmdir-promise │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ rmdir-promise > rmdir > node.flow > node.extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/781
I spent time making sure this would be the least impactful fix to the problem. @ljharb any help here?
This security issue remains despite the approval for changes. Any way this can be merged? @garyyeap @ljharb @jacksctsai @ben-lin ?
@nullivex you'll note that the gray check means i'm not a collaborator, so pinging me isn't going to help :-)
My apologies, Ill leave you out of it. Initially I saw you on the Organization and thought that you may be able to contact someone with publishing privileges. Its a shame to see this vulnerability persist over incorrect usage of the package.json file.
To be clear, while this is a good change (everything should always prefer using ^ ranges), it's also unnecessary, because like almost every prototype pollution CVE, this one is a false positive.
rmdirr is only used here: https://github.com/dreamerslab/node.flow/blob/dcf58ba72e3de1f97f786b44e6b938fd96b299d4/examples/node.packer/run.js#L56 and target_dir is https://github.com/dreamerslab/node.flow/blob/dcf58ba72e3de1f97f786b44e6b938fd96b299d4/examples/node.packer/run.js#L17, which is hardcoded. Thus, the vulnerability is utterly impossible - you can't even attack yourself.