[
https://issues.apache.org/jira/browse/THRIFT-5223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17278730#comment-17278730
]
Jens Geyer commented on THRIFT-5223:
------------------------------------
You are free to send pull requests at any time. We appreciate that.
> [Skyscanner] JS-Doc Latest Release Tag Is Not The Actual Current Release And
> Introduces Vulnerable Package
> ----------------------------------------------------------------------------------------------------------
>
> Key: THRIFT-5223
> URL: https://issues.apache.org/jira/browse/THRIFT-5223
> Project: Thrift
> Issue Type: Bug
> Affects Versions: 0.13.0
> Environment: Production
> Reporter: Ian Thompson
> Priority: Major
> Labels: javascript
> Fix For: 0.13.0, 0.14.0, 1.0
>
>
> We are seeing a warning on builds of out internal distributed JS tracing
> solution.
> Our core client tracer is Lightstep which introduces thrift
> ([https://github.com/lightstep/lightstep-tracer-javascript/blob/master/package.json#L28])
> Our vulnerability catcher - SNYK - is blocking builds due to picking up an
> issue with the \{{marked}} ([https://www.npmjs.com/package/marked]) lib
> introduced through \{{js-doc}} ([https://www.npmjs.com/package/jsdoc]) which
> is used in \{{thrift}}
> ([https://github.com/apache/thrift/blob/0.13.0/package.json#L52]).
> We have noticed that \{{js-doc}} is using the *Latest Release* version, which
> in fact is pointing to an older release version; \{{js-doc}} is at 3.5.5
> (2017) while the actual latest is 3.6.4.
> The vulnerability in the \{{marked}} lib is described here:
> [https://snyk.io/vuln/SNYK-JS-MARKED-174116]
> Since this is a dev dependency and, a {{MEDIUM SEVERITY}} score, it would be
> cool if we had the dependency (\{{js-doc}}) to take advantage of the fixes
> therein.
> We can then notify Lightstep to make an update.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
