Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities in latest version 2.3.4 #92

Closed
mjgs opened this issue Dec 18, 2019 · 3 comments
Closed

Security vulnerabilities in latest version 2.3.4 #92

mjgs opened this issue Dec 18, 2019 · 3 comments
Labels
released

Comments

@mjgs
Copy link

mjgs commented Dec 18, 2019

I am running latest version 2.3.4 and npm audit is showing security vulnerabilities:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parse-domain                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parse-domain > jest > jest-cli > @jest/core >                │
│               │ @jest/reporters > istanbul-reports > handlebars              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1300                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parse-domain                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parse-domain > jest > jest-cli > @jest/core >                │
│               │ @jest/reporters > istanbul-reports > handlebars              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1316                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parse-domain                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parse-domain > jest > jest-cli > @jest/core >                │
│               │ @jest/reporters > istanbul-reports > handlebars              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1324                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parse-domain                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parse-domain > jest > jest-cli > @jest/core >                │
│               │ @jest/reporters > istanbul-reports > handlebars              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1325                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
@mjgs
Copy link
Author

mjgs commented Dec 18, 2019

I was able to clear these vulnerabilities by running npm audit fix

@jhnns
Copy link
Member

jhnns commented Jan 12, 2020

Thanks for reporting it. This is related to #89. We will remove Jest as regular dependency in future versions.

Currently, Jest (and its dependencies) are only used and executed on npm install, so the risk of this security vulnerability is really low (I doubt that someone could exploit it in this case).

This was referenced Jan 30, 2020
Closed
Closed
@jhnns jhnns closed this as completed in 9f38492 Apr 23, 2020
@github-actions
Copy link

🎉 This issue has been resolved in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhnns @mjgs