github-create-issue icon indicating copy to clipboard operation
github-create-issue copied to clipboard
verified publisher icon kgryte

Insecure dependencies

Open Chr1s70ph opened this issue 4 years ago • 6 comments

Updating the package to the latest version introduces insecurities. These do not appear on version 1.0.1 of the package.

# npm audit report

dot-prop  <4.2.1
Severity: high
Prototype Pollution in dot-prop - https://github.com/advisories/GHSA-ff7x-qrg7-qggm
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/configstore/node_modules/dot-prop
  configstore  2.0.0 - 2.1.0 || 3.1.3
  Depends on vulnerable versions of dot-prop
  node_modules/configstore
    update-notifier  0.6.3 - 1.0.3
    Depends on vulnerable versions of configstore
    node_modules/update-notifier
      github-create-issue  >=2.0.0
      Depends on vulnerable versions of update-notifier
      node_modules/github-create-issue

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Chr1s70ph avatar Dec 04 '21 13:12 Chr1s70ph

This warning is not a concern. See how update-notifier is used in the source code. Prototype pollution is not possible given the usage.

The only way to rectify this issue is to remove update-notifier from the package or upgrade. The latter is not possible, as update-notifier introduced breaking env changes and would thus break backward compat for this package.

Removing update-notifier would probably be fine, as users probably don't need to be alerted that a new version of the CLI is avail. Feel free to submit a PR.

kgryte avatar Dec 04 '21 19:12 kgryte

@kgryte I cloned the repo and made the relatively minor changes to remove update-notifier dependencies. When I tried to push and create a PR it tells me I don't have permission to push. I'd also like to add functionality to close an issue. Should I work from a fork? And if so (I've never forked anything before), how do I then get my version installed instead of your version, using npm? Thanks!

rbgorbet avatar Dec 11 '21 17:12 rbgorbet

I've now added issue-commenting and issue-closing functionality.

rbgorbet avatar Dec 12 '21 23:12 rbgorbet

@kgryte I cloned the repo and made the relatively minor changes to remove update-notifier dependencies. When I tried to push and create a PR it tells me I don't have permission to push. I'd also like to add functionality to close an issue. Should I work from a fork? And if so (I've never forked anything before), how do I then get my version installed instead of your version, using npm? Thanks!

You can create a new branch and submit a new PR that way. Pushing to the master branch is only allowed for maintainers of the repository.

Chr1s70ph avatar Dec 13 '21 18:12 Chr1s70ph

@kgryte I cloned the repo and made the relatively minor changes to remove update-notifier dependencies. When I tried to push and create a PR it tells me I don't have permission to push. I'd also like to add functionality to close an issue. Should I work from a fork? And if so (I've never forked anything before), how do I then get my version installed instead of your version, using npm? Thanks!

You can create a new branch and submit a new PR that way. Pushing to the master branch is only allowed for maintainers of the repository.

Creating a new branch isn't an option; so is perhaps disabled in the repo?

image

rbgorbet avatar Dec 13 '21 19:12 rbgorbet

Create a branch locally on your machine by using git checkout -b "your_branch_name" Afterwards, you will be able to create a PR.

Chr1s70ph avatar Dec 14 '21 10:12 Chr1s70ph