Skip to content
This repository has been archived by the owner on Jul 15, 2023. It is now read-only.

npm audit warnings due to json-rpc2 #2861

Closed
OneOfOne opened this issue Oct 24, 2019 · 3 comments
Closed

npm audit warnings due to json-rpc2 #2861

OneOfOne opened this issue Oct 24, 2019 · 3 comments
Labels
debug help wanted

Comments

@OneOfOne
Copy link
Contributor 

┏━ oneofone@voyager ❰~/c/v/vscode-go❱ ❰master|✚2❱
┗━● npm audit

=== npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ json-rpc2                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ json-rpc2 > lodash                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/577                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ json-rpc2                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ json-rpc2 > lodash                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/782                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ json-rpc2                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ json-rpc2 > lodash                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 2 high) in 441 scanned packages
3 vulnerabilities require manual review. See the full report for details.
@ramya-rao-a
Copy link
Contributor

We depend on json-rpc2 for the debugging feature that is provided by this extension which in turn depends on v3 of lodash resulting in the above warnings.

Unfortunately, json-rpc2 has not had a release in years.

One option would be to fork the package and update the dependency ourselves.

@ramya-rao-a ramya-rao-a changed the title npm audit npm audit warnings due to json-rpc2 Dec 12, 2019
@ramya-rao-a
Copy link
Contributor

We could try and see if the vscode-jsonrpc can be a good replacement here

cc @quoctruong, @jhendrixMSFT

@ramya-rao-a ramya-rao-a mentioned this issue May 28, 2020
Closed
@ramya-rao-a
Copy link
Contributor

Hey @OneOfOne,

We are in the midst of a repo move, see We are moving section in our readme for more details.

Please subscribe to golang/vscode-go#113 for further updates on this issue.

Thanks for all the support & Happy Coding!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
debug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OneOfOne @ramya-rao-a