You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flagon.apache.org by "Joshua Poore (JIRA)" <ji...@apache.org> on 2019/07/26 02:02:00 UTC

[jira] [Closed] (FLAGON-422) Update NPM modules to fix prototype pollution issues in npm packages

     [ https://issues.apache.org/jira/browse/FLAGON-422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua Poore closed FLAGON-422.
-------------------------------
    Resolution: Fixed

Fixed, all but one.

> Update NPM modules to fix prototype pollution issues in npm packages
> --------------------------------------------------------------------
>
>                 Key: FLAGON-422
>                 URL: https://issues.apache.org/jira/browse/FLAGON-422
>             Project: Flagon
>          Issue Type: Bug
>          Components: UserALE.js
>    Affects Versions: UserALE.js 2.0.0, UserALE.js 2.0.1
>            Reporter: Joshua Poore
>            Assignee: Joshua Poore
>            Priority: Major
>             Fix For: UserALE.js 2.0.1, UserALE.js 2.0.0
>
>
> Prototype Pollution is the new hot way to exploit JS, and its wrecking havoc in the larger NPMJS community:
> [https://medium.com/@daniakash/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c]
> Its a latent exploit at the core of JS that most of you already know about. If not read the above article. Packages like jquery and other massive projects are affected. 
> Should we be scared for UserALE.js? No, probably not at all. Our scripts are accessible to the page only through limited APIs, they live elsewhere, and likely more difficult or impossible exploit in general. 
> However, our build pipeline has deep dependencies that rely on affected packages: set-value, mixin, lodash (these are like depth=10+). The immediate dependencies that are affected include babel, gulp, nodemon. I have already issued bug reports or bumped issues in these projects to make sure they're getting attention. In some cases like set-value, the gulp community has pressured them and npm to update their registry and include fixes in old versions of set-value. 
> Low risk for our users, i think, however, we should adopt any pactches ASAP. 
>  
> found 282 high severity vulnerabilities in 11741 scanned packages
>   run `npm audit fix` to fix 281 of them.
>   1 vulnerability requires manual review. See the full report for details.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)