Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dot-prop 4.2.0 installs with nodejs 14 creating security issue #34708

Closed
dominopetter opened this issue Aug 10, 2020 · 2 comments
Closed

dot-prop 4.2.0 installs with nodejs 14 creating security issue #34708

dominopetter opened this issue Aug 10, 2020 · 2 comments
Labels
npm Issues and PRs related to the npm client dependency or the npm registry. wrong repo Issues that should be opened in another repository.

Comments

@dominopetter
Copy link

Version: v14.7.0
Platform: Linux 359fde9c186f 5.3.0-1019-aws #21~18.04.1-Ubuntu SMP Mon May 11 12:33:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Subsystem: dot-prop

What steps will reproduce the bug?

curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash -
sudo apt-get install -y nodejs

Installs dot-prop 4.2.0 in /usr/lib/node_modules/npm/node_modules/dot-prop
https://www.npmjs.com/advisories/1213

How often does it reproduce? Is there a required condition?

Every time nodejs installs

What is the expected behavior?

dot-prop >=5.1.1 should install

@bnoordhuis
Copy link
Member

The .deb isn't maintained by us, but by nodesource. What's more, npm isn't maintained by us either, only distributed. It's its own project. Can you report your issue over at https://npm.community/? Thanks.

@bnoordhuis bnoordhuis added npm Issues and PRs related to the npm client dependency or the npm registry. wrong repo Issues that should be opened in another repository. labels Aug 10, 2020
@marijus-ravickas
Copy link

marijus-ravickas commented Aug 20, 2020

@bnoordhuis
Seems like issue is solved in version 6.14.8.
npm/cli#1682 (comment)
Will it be included in to next release or some minor patching will be done? Node version 12 is also affected by the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
npm Issues and PRs related to the npm client dependency or the npm registry. wrong repo Issues that should be opened in another repository.
Projects
None yet
Development

No branches or pull requests

3 participants