Joshua Poore created FLAGON-422:
-----------------------------------
Summary: Update NPM modules to fix prototype pollution issues in
npm packages
Key: FLAGON-422
URL: https://issues.apache.org/jira/browse/FLAGON-422
Project: Flagon
Issue Type: Bug
Components: UserALE.js
Affects Versions: UserALE.js 2.0.0, UserALE.js 2.0.1
Reporter: Joshua Poore
Assignee: Joshua Poore
Fix For: UserALE.js 2.0.1, UserALE.js 2.0.0
Prototype Pollution is the new hot way to exploit JS, and its wrecking havoc in
the larger NPMJS community:
[https://medium.com/@daniakash/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c]
Its a latent exploit at the core of JS that most of you already know about. If
not read the above article. Packages like jquery and other massive projects are
affected.
Should we be scared for UserALE.js? No, probably not at all. Our scripts are
accessible to the page only through limited APIs, they live elsewhere, and
likely more difficult or impossible exploit in general.
However, our build pipeline has deep dependencies that rely on affected
packages: set-value, mixin, lodash (these are like depth=10+). The immediate
dependencies that are affected include babel, gulp, nodemon. I have already
issued bug reports or bumped issues in these projects to make sure they're
getting attention. In some cases like set-value, the gulp community has
pressured them and npm to update their registry and include fixes in old
versions of set-value.
Low risk for our users, i think, however, we should adopt any pactches ASAP.
found 282 high severity vulnerabilities in 11741 scanned packages
run `npm audit fix` to fix 281 of them.
1 vulnerability requires manual review. See the full report for details.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
