blessed-contrib icon indicating copy to clipboard operation
blessed-contrib copied to clipboard

Published 20 hours ago verified publisher icon yaronn

Security vulnerability introduced through picture-tube

Open lirantal opened this issue 8 years ago • 7 comments

Hi @yaronn,

The picture-tube package introduces a security vulnerability issue by its own dependency of an old request library version.

It seems that picture-tube is quite old and un-maintained so maybe it will require to replace it with another npm package. Any chance you're up for it? Thanks!

You can dig more info at snyk's website: https://snyk.io/test/github/yaronn/blessed-contrib image

cc @adrukh @grnd

lirantal avatar Dec 03 '16 21:12 lirantal

nice catch :) don't think picture tube is used too often with blessed contrib but will leave this open to when I or someone else have more time to figure out an alternative. Thanks!

yaronn avatar Dec 06 '16 17:12 yaronn

Ok, thanks. Hopefully soon :) And thank you so much for the wonderful blessed-contrib project! :heart:

lirantal avatar Dec 06 '16 20:12 lirantal

picture-code has very few LoC, about 60. Possible options:

  • Fork->tweek->update deps
  • Copy->Past the 60 LoC into this project

Thanks.

binarymist avatar Sep 03 '18 03:09 binarymist

Let's see if we can come up with an alternative library. It seems that the request lib in picture-tube is also irrelevant

lirantal avatar Sep 03 '18 07:09 lirantal

Note that there is an existing (albeit unmerged) PR on picture-tube to update the version of request it uses, which would fix this issue.

https://github.com/substack/picture-tube/pull/12

techieshark avatar Sep 15 '18 20:09 techieshark

👍 Tried to ping another committer on the project

lirantal avatar Sep 17 '18 21:09 lirantal

I came here because npm audit reports this:-

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Remote Memory Exposure                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ request                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.68.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ picture-tube                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ picture-tube > request                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/309                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 141 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Chaz6 avatar Dec 06 '18 18:12 Chaz6