node-google icon indicating copy to clipboard operation
node-google copied to clipboard

Published 20 hours ago verified publisher icon jprichardson

vulnerabilities

Open BeauBouchard opened this issue 5 years ago • 0 comments

Recently I found an application using this with vulnerabilities on install... upon review i realized it was google. After looking into the package.json and understanding the depth of changes, I realized anything using cheerio pre version 0.22.0 probably would be difficult to refactor.

I agree with https://github.com/jprichardson/node-google/issues/63. This library is unmaintained I am just going to refactor around an API with a key in that application to get the audit to be clean and use best practices.

                                                                             
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ google                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ google > cheerio > lodash                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/782                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ google                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ google > cheerio > lodash                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 low, 1 moderate)

Links to vulnerabilities:

  • https://nodesecurity.io/advisories/782
  • https://nodesecurity.io/advisories/577

BeauBouchard avatar Mar 02 '19 19:03 BeauBouchard