cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [cordova-cli] schmitzc opened a new issue #507: Vulnerable dependencies
Date Mon, 01 Jun 2020 20:19:57 GMT

schmitzc opened a new issue #507:
URL: https://github.com/apache/cordova-cli/issues/507


   # Bug Report
   
   ## Problem
   
   `yarn audit` finds vulnerabilities in `kind-of` and `minimist` packages:
   
   ```
   ┌───────────────┬──────────────────────────────────────────────────────────────┐
   │ low           │ Prototype Pollution                                          │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Package       │ minimist                                                     │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                              
     │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Dependency of │ cordova                                                      │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Path          │ cordova > update-notifier > latest-version > package-json
>  │
   │               │ registry-url > rc > minimist                              
  │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ More info     │ https://www.npmjs.com/advisories/1179                        │
   └───────────────┴──────────────────────────────────────────────────────────────┘
   ┌───────────────┬──────────────────────────────────────────────────────────────┐
   │ low           │ Validation Bypass                                            │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Package       │ kind-of                                                      │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Patched in    │ >=6.0.3                                                      │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Dependency of │ cordova                                                      │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ Path          │ cordova > cordova-lib > globby > fast-glob > micromatch
>    │
   │               │ nanomatch > kind-of                                          │
   ├───────────────┼──────────────────────────────────────────────────────────────┤
   │ More info     │ https://www.npmjs.com/advisories/1490                        │
   └───────────────┴──────────────────────────────────────────────────────────────┘
   ```
   
   ### What is expected to happen?
   
   `yarn audit` should not find any vulnerabilities for the `cordova` dependencies.
   
   ### What does actually happen?
   
   `yarn audit` finds vulnerabilities in the `minimist` and `kind-of` packages.
   
   ## Information
   <!-- Include all relevant information that might help understand and reproduce the problem
-->
   
   
   
   ### Command or Code
   <!-- What command or code is needed to reproduce the problem? -->
   
   `yarn audit`
   
   ### Environment, Platform, Device
   <!-- In what environment, on what platform or on which device are you experiencing the
issue? -->
   
   N/A
   
   ### Version information
   <!-- 
   What are relevant versions you are using?
   For example:
   Cordova: Cordova CLI, Cordova Platforms, Cordova Plugins 
   Other Frameworks: Ionic Framework and CLI version
   Operating System, Android Studio, Xcode etc.
   -->
   
   Cordova: Cordova CLI
   
   ## Checklist
   <!-- Please check the boxes by putting an x in the [ ] like so: [x] -->
   
   - [x] I searched for existing GitHub issues
   - [x] I updated all Cordova tooling to most recent version
   - [x] I included all the necessary information above
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message