New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability of tough-cookie 2.3.2 bundled with package. #187
Comments
Updating node-pre-gyp (or rather: request) might be problematic because of request/request#2772. It might be possible to move node-pre-gyp to |
Wow ! Was not aware of this thread on A possible solution would to increase fsevent to version 2.0.0 and support only Node 4/6/8+ ( dealer's choice ). But this is a major step and I can understand that with 90k+ downloads a day, there is some hesitation on doing that, just as the owner of Well... I guess we are at an impasse on that one. I can understand that wholeheartedly. Since most of the code we develop in our team are ultimately servers we deploy on CentOS, I guess I can live with the vulnerability. The problem would come when people on MacOS X start using my package in their projects which might be ultimately deployed on MacOS X. I guess these other teams can do their own security analysis then and decide on their strategy. I will not close this issue because I still think it is a valid one, but will stop pushing it. |
Doesn't |
The problem I think is This means that if |
Anyone using
@es128 We should cut a |
Resolved in v1.2.0 |
Good morning,
I am using
fsevent
version 1.1.2 with NodeJS 6.9.x and a simplified dependency tree looks like this:The problem comes from the version of tough-cookie. There is a vulnerability in tough-cookie version 2.3.2: salesforce/tough-cookie#92. This vulnerability was fixed in 2.3.3 by salesforce/tough-cookie#97.
The Whitesource software flags my application because of this vulnerability.
I don't know why
node-pre-gyp
is bundled with the package, but I'm pretty sure you have a reason for it so I will not ask to get a clean fsevents package, withoutbundledDependencies
. But, would it be possible to re-publish a version of fsevents with a later version ofnode-pre-gyp
bundled with it ? This will result into a later version ofrequest
which will result in version 2.3.3 of `tough-cookie'.Thanks.
The text was updated successfully, but these errors were encountered: