-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability in passport-azure-ad > bunyan > mv > mkdirp > minimist dependency chain #4633
Comments
@ydogandjiev We are working on a new validation library and hence |
@pkanher617 Assigning to you as you are working on the |
@ydogandjiev This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale. |
We're running into this as well. Various high severity security issues are reported by our code / dependency analysis. This is also affecting almost any of products, and authentication isn't on of the topics where I would say security is minor important or critical. Any idea of a timeline, or is there any workaround we can implement until this is fixed? |
I believe this should be addressed if you pick up the latest version of npm ls minimist --prod
passport-azure-ad@4.3.1 microsoft-authentication-library-for-js\maintenance\passport-azure-ad
└─┬ bunyan@1.8.15
└─┬ mv@2.1.1
└─┬ mkdirp@0.5.6
└── minimist@1.2.6 Please regenerate your lock files and confirm, thanks! @ydogandjiev @erik-neumann |
Thanks @jasonnutter for your response. Actually we have multiple packages that seem to contain vulnerabilities.
I tried your approach by referencing the affected packages directly. That resolved some of the issues but not all. Still async and qs is having issues. qs seems to be referenced by request package that is not even been maintained anymore. |
@erik-neumann Did removing your node_modules folder and regenerating your lock file address the minimist dependency specifically? |
@jasonnutter yes, |
@erik-neumann Thanks for confirming. We are aware of the issues with |
Core Library
Passport Azure AD (passport-azure-ad)
Core Library Version
4.3.1
Wrapper Library
Not Applicable
Wrapper Library Version
None
Description
The following dependency chaining originating in passport-azure-ad introduces a security vulnerability which is getting flagged by GitHub's Dependabot:
passport-azure-ad > bunyan > mv > mkdirp > minimist
The issue was reported to bunyan a while back but it looks like the project's maintainers have no interest in fixing it (or the resources to do so):
trentm/node-bunyan#667
Can you please consider removing passport-azure-ad's dependency on bunyan in order to eliminate this high severity vulnerability?
Error Message
No response
Msal Logs
No response
MSAL Configuration
Relevant Code Snippets
Reproduction Steps
N/A
Expected Behavior
N/A
Identity Provider
Azure AD / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
No response
Source
Internal (Microsoft)
The text was updated successfully, but these errors were encountered: