node-binance-api icon indicating copy to clipboard operation
node-binance-api copied to clipboard

Published 20 hours ago verified publisher icon jaggedsoft

Security problem json-schema is vulnerable to Prototype Pollution

Open Jabbaxx opened this issue 3 years ago • 3 comments

Hello, there seems to be a security problem of a dependency in the latest version. It needs to be fixed soon.

Anyone know a workaround ?

"npm audit fix --force" is NOT a goof idea as it installs a very old version 0.2.1 node-binance-api.

How to test:

cd /tmp/ mkdir test cd test/ npm install node-binance-api npm WARN deprecated [email protected]: this library is no longer supported npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

added 67 packages, and audited 68 packages in 1s

2 packages are looking for funding run npm fund for details

5 moderate severity vulnerabilities

To address all issues, run: npm audit fix

Run npm audit for details.

npm audit --dry-run

npm audit report

json-schema <0.4.0 Severity: moderate json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/json-schema jsprim 0.3.0 - 2.0.1 Depends on vulnerable versions of json-schema node_modules/jsprim http-signature 1.0.0 - 1.3.5 Depends on vulnerable versions of jsprim node_modules/http-signature request >=2.66.0 Depends on vulnerable versions of http-signature node_modules/request node-binance-api >=0.2.2 Depends on vulnerable versions of request node_modules/node-binance-api

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run: npm audit fix --force

Jabbaxx avatar Nov 22 '21 12:11 Jabbaxx

Very serious issue.

marte3707 avatar Nov 25 '21 22:11 marte3707

+1 for this one

grzegorzkrukowski avatar Nov 26 '21 15:11 grzegorzkrukowski

It will be fixed now when you run npm install again on your project - dependencies has been updated in deeper libraries

grzegorzkrukowski avatar Jan 11 '22 10:01 grzegorzkrukowski