browserify-fs icon indicating copy to clipboard operation
browserify-fs copied to clipboard

Published 20 hours ago verified publisher icon mafintosh

Current version of the levelup dependency for this project has a known security vulnerability

Open jgw96 opened this issue 7 years ago • 12 comments

A user opened an issue on our repo about the semver package having a security vulnerability https://github.com/ionic-team/stencil/issues/568. After researching it we found that this was coming from a very old version of the levelup package that browserify-fs relies on. securityissue

jgw96 avatar Feb 23 '18 16:02 jgw96

Is this something you expect you might have an ETA for a fix for or is the project abandoned?

brettz9 avatar May 10 '18 08:05 brettz9

so the actual issue is about updating levelup to version 2.0.0, a pull request doing so and making sure the tests pass would go a long way to helping this be resolved

calvinmetcalf avatar May 10 '18 13:05 calvinmetcalf

actually I take it back, updating it to 0.19.1 would probably do the trick

calvinmetcalf avatar May 10 '18 13:05 calvinmetcalf

Updating [email protected] will fix CVE-2015-8855 (patched in semver@>=4.3.2) but not Memory exposure in bl (patched in bl@>=0.9.5 <1.0.0 || >=1.0.1).

levelup@>=1.0.0 Is without any issues.

oBusk avatar Jun 06 '18 23:06 oBusk

I've got the same security notification

└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]

image

microshine avatar Sep 30 '18 12:09 microshine

Any progress on this?

awmottaz avatar Oct 25 '18 15:10 awmottaz

Ping @mafintosh: will you consider the #15 PR, so we can get the ball rolling on fixing the security warnings in people's repositories?

mroderick avatar Nov 17 '18 19:11 mroderick

Ya sure. Anyone here wanna help maintain this? On Sun, 18 Nov 2018 at 04.32, Morgan Roderick [email protected] wrote:

Ping @mafintosh https://github.com/mafintosh: will you consider the #15 https://github.com/mafintosh/browserify-fs/pull/15 PR, so we can get the ball rolling on fixing the security warnings in people's repositories?

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/mafintosh/browserify-fs/issues/13#issuecomment-439641774, or mute the thread https://github.com/notifications/unsubscribe-auth/AAW_VXq2U0q-33wIddt7AGLNAmwry9Phks5uwGQ7gaJpZM4SRIy5 .

mafintosh avatar Nov 18 '18 03:11 mafintosh

If it's just a question of pulling for this update and possibly any future such ones (at least clear-cut ones like this), I could sign on (brettz9 on npm as well).

brettz9 avatar Nov 19 '18 01:11 brettz9

Another issue that someone can hopefully address is that the current version of the dependency level-filesystem (1.2.0) has an outdated dependency chain of level-sublevel (5.2.3) -> xtend (2.0.6) -> object-keys (version 0.2.0, a deprecated version); see https://github.com/mafintosh/level-filesystem/issues/9

brettz9 avatar Nov 28 '18 08:11 brettz9

Any updates with this?

jdalrymple avatar Jun 06 '19 17:06 jdalrymple

Ping @mafintosh: will you consider the #15 PR, so we can get the ball rolling on fixing the security warnings in people's repositories?

@mroderick I just made another PR (#24) with main differences being compared to #15 are that it is ready and it does not require browser testing/karma instead it uses spec compliant fake-indexeddb mock inside node/jest environment. I did not upgrade any dependencies but it can still be used as solid base for future security fixes.

/cc @mafintosh

vladimyr avatar Nov 10 '19 00:11 vladimyr