[
https://issues.apache.org/jira/browse/FLAGON-422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joshua Poore closed FLAGON-422.
-------------------------------
Resolution: Fixed
> Update NPM modules to fix prototype pollution issues in npm packages
> --------------------------------------------------------------------
>
> Key: FLAGON-422
> URL: https://issues.apache.org/jira/browse/FLAGON-422
> Project: Flagon
> Issue Type: Bug
> Components: UserALE.js
> Affects Versions: UserALE.js 2.0.2
> Reporter: Joshua Poore
> Assignee: Joshua Poore
> Priority: Major
> Fix For: UserALE.js 2.0.2
>
>
> Prototype Pollution is the new hot way to exploit JS, and its wrecking havoc
> in the larger NPMJS community:
> [https://medium.com/@daniakash/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c]
> Its a latent exploit at the core of JS that most of you already know about.
> If not read the above article. Packages like jquery and other massive
> projects are affected.
> Should we be scared for UserALE.js? No, probably not at all. Our scripts are
> accessible to the page only through limited APIs, they live elsewhere, and
> likely more difficult or impossible exploit in general.
> However, our build pipeline has deep dependencies that rely on affected
> packages: set-value, mixin, lodash (these are like depth=10+). The immediate
> dependencies that are affected include babel, gulp, nodemon. I have already
> issued bug reports or bumped issues in these projects to make sure they're
> getting attention. In some cases like set-value, the gulp community has
> pressured them and npm to update their registry and include fixes in old
> versions of set-value.
> Low risk for our users, i think, however, we should adopt any pactches ASAP.
>
> found 282 high severity vulnerabilities in 11741 scanned packages
> run `npm audit fix` to fix 281 of them.
> 1 vulnerability requires manual review. See the full report for details.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
