You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/08/17 23:04:20 UTC
[jira] [Commented] (CB-11484) coho test failure (library
vulnerability)
[ https://issues.apache.org/jira/browse/CB-11484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15425555#comment-15425555 ]
ASF GitHub Bot commented on CB-11484:
-------------------------------------
Github user asfgit closed the pull request at:
https://github.com/apache/cordova-coho/pull/128
> coho test failure (library vulnerability)
> -----------------------------------------
>
> Key: CB-11484
> URL: https://issues.apache.org/jira/browse/CB-11484
> Project: Apache Cordova
> Issue Type: Bug
> Components: Coho
> Reporter: Shazron Abdullah
> Priority: Critical
>
> Our use of nlf@1.1.0 contains down the tree, a vulnerable library minimatch@2.0.10
> {code}
> (+) 1 vulnerabilities found
> ┌───────────────┬────────────────────────────────────────────────────────────────────────────┐
> │ │ Regular Expression Denial of Service │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Name │ minimatch │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Installed │ 2.0.10 │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Vulnerable │ <=3.0.1 │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Patched │ >=3.0.2 │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Path │ cordova-coho@0.0.3 > nlf@1.1.0 > glob@4.5.3 > minimatch@2.0.10 │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ More Info │ https://nodesecurity.io/advisories/118 │
> └───────────────┴────────────────────────────────────────────────────────────────────────────┘
> {code}
> Filed for nlf:
> https://github.com/iandotkelly/nlf/issues/40
> Filed for glob-all (which later versions of nlf uses):
> https://github.com/jpillora/node-glob-all/issues/12
> glob-all uses glob, which patched this 4 days ago in 7.0.5:
> https://github.com/isaacs/node-glob/issues/268
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)