Ian Thompson created THRIFT-5223:
------------------------------------
Summary: [Skyscanner] JS-Doc Latest Release Tag Is Not The Actual
Current Release And Introduces Vulnerable Package
Key: THRIFT-5223
URL: https://issues.apache.org/jira/browse/THRIFT-5223
Project: Thrift
Issue Type: Bug
Affects Versions: 0.13.0
Environment: Production
Reporter: Ian Thompson
Fix For: 0.14.0, 1.0, 0.13.0
We are seeing a warning on builds of out internal distributed JS tracing
solution.
Our core client tracer is Lightstep which introduces thrift
([https://github.com/lightstep/lightstep-tracer-javascript/blob/master/package.json#L28])
Our vulnerability catcher - SNYK - is blocking builds due to picking up an
issue with the \{{marked}} ([https://www.npmjs.com/package/marked]) lib
introduced through \{{js-doc}} ([https://www.npmjs.com/package/jsdoc]) which is
used in \{{thrift}}
([https://github.com/apache/thrift/blob/0.13.0/package.json#L52]).
We have noticed that \{{js-doc}} is using the *Latest Release* version, which
in fact is pointing to an older release version; \{{js-doc}} is at 3.5.5 (2017)
while the actual latest is 3.6.4.
The vulnerability in the \{{marked}} lib is described here:
[https://snyk.io/vuln/SNYK-JS-MARKED-174116]
Since this is a dev dependency and, a {{MEDIUM SEVERITY}} score, it would be
cool if we had the dependency (\{{js-doc}}) to take advantage of the fixes
therein.
We can then notify Lightstep to make an update.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
