loopback-component-storage icon indicating copy to clipboard operation
loopback-component-storage copied to clipboard

Published 20 hours ago verified publisher icon strongloop

Critical vulnerabilities in pkgcloud and swagger-ui

Open giovanni-bertoncelli opened this issue 4 years ago • 4 comments

I wanted to report some vulnerabilities that should be fixed before this package gets out of LTS. Here's the list:

  • Gravity: high, package: minimatch, path: loopback-component-storage > pkgcloud > liboneandone > mocha > glob > minimatch, patched in: 3.0.2
  • Gravity: CRITICAL, package: growl, path: loopback-component-storage > pkgcloud > liboneandone > mocha > growl, patched in: 1.10.2
  • Gravity: Low, package: debug, patched in 3.1.0
  • Gravity: Moderate, package: swagger-ui, fixed in 3.20
  • Gravity: Low, package: minimist, patched in: 1.2.3
  • Gravity: High, package: node-forge, patched in 0.10.0

How to reproduce

npm audit will show the vulnerabilities.

giovanni-bertoncelli avatar Dec 03 '20 14:12 giovanni-bertoncelli

@giovanni-bertoncelli, thanks for reporting this. Would you like to submit a PR? thanks.

dhmlau avatar Dec 04 '20 00:12 dhmlau

@giovanni-bertoncelli, we're also waiting for security fixes in liboneandone (see https://github.com/strongloop/loopback-component-storage/pull/285#issuecomment-574837835).

dhmlau avatar Dec 04 '20 14:12 dhmlau

@dhmlau Sorry, I have not so much time to spend on this...

giovanni-bertoncelli avatar Dec 04 '20 14:12 giovanni-bertoncelli

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 21 '21 02:07 stale[bot]