Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade mime dependency to version 2.0.3. #146

Closed
wants to merge 1 commit into from
Closed

Upgrade mime dependency to version 2.0.3. #146

wants to merge 1 commit into from

Conversation

josueorozco
Copy link

@dougwilson dougwilson self-assigned this Sep 28, 2017
@dougwilson
Copy link
Contributor

It is not possible to upgrade to the 2.x series of the mime module, because it requires Node.js 6+ to function. The 1.4.1 version of mime is not vulnerable, as noted in the vulnerable / not ranges at the top of the advisory, and1.4.1 ships with 0.16.0 of this module already.

@dougwilson dougwilson closed this Sep 28, 2017
@dougwilson
Copy link
Contributor

The 2.x series API is also completely different; please run the tests at least prior to a PR :)

@josueorozco
Copy link
Author

Hey Doug,

Was just reading over the reference again and realized you were already on top of it. Thanks!

@dougwilson
Copy link
Contributor

It's no problem 👍 Not sure if you are using this though Express.js or not, but if you are, hang tight and the usage of this module doesn't introduce a vulnerability anyway, but still trying to get an update out.

@josueorozco
Copy link
Author

Yep, using this through Express.js. Got wind of it via nsp check, which outputs:

~$ nsp check
(+) 1 vulnerabilities found
┌───────────────┬────────────────────────────┐
│                     │ Regular Expression Denial of Service
├───────────────┼────────────────────────────┤
│ Name          │ mime 
├───────────────┼────────────────────────────┤
│ CVSS          │ 7.5 (High) 
├───────────────┼────────────────────────────┤
│ Installed     │ 1.3.4          
├───────────────┼────────────────────────────┤
│ Vulnerable    │ < 1.4.1 || > 2.0.0 < 2.0.3 
├───────────────┼────────────────────────────┤
│ Patched       │ >= 1.4.1 < 2.0.0 || >= 2.0.3 
├───────────────┼────────────────────────────┤
│ Path.            │ dxcc.local@1.0.0 > express@4.15.5 > send@0.15.6 > mime@1.3.4
├───────────────┼────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/535 
└───────────────┴────────────────────────────┘

Adding the advisory as an exception on my project for now as per the docs here https://github.com/nodesecurity/nsp#exceptions.

Thanks again for your work on this 👍

@dougwilson
Copy link
Contributor

Express.js 4.16.0 is out now with the updated dependency 🎉

rutharya pushed a commit to rutharya/RiderTrack that referenced this pull request Feb 2, 2018
adding Nsp check, and removing Regular expression vulnerability in ex…
26825ed 
…press 4.15

pillarjs/send#146

the same issue reported on git, shows the regular express vulnerablility, which required me to upgrade the express server, and other dependencies.

2. have added startMessage.js to print start message on dev builds

3. added start and security check scripts to npm.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dougwilson dougwilson

Labels
deps invalid pr
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@josueorozco @dougwilson