[
https://issues.apache.org/jira/browse/CB-7736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14224609#comment-14224609
]
ASF GitHub Bot commented on CB-7736:
------------------------------------
Github user kant2002 commented on the pull request:
https://github.com/apache/cordova-lib/pull/113#issuecomment-64407129
Sorry for spamming, but everything except npm v 1.3.4 is up to date. I have
to bump it to 1.4.27, which is lowest version of NPM which does not have qs
vulnerability. I will update to latest upstream code and republish push request.
> Vulnerability in qs dependency
> ------------------------------
>
> Key: CB-7736
> URL: https://issues.apache.org/jira/browse/CB-7736
> Project: Apache Cordova
> Issue Type: Bug
> Components: CLI
> Affects Versions: 3.6.0
> Reporter: Victor Adrian Sosa Herrera
> Priority: Critical
>
> There is a very well documented vulnerability issue in the qs module that
> comes as a dependency in request in cordova-cli
> https://nodesecurity.io/advisories/qs_dos_memory_exhaustion
> Here the tree of modules
> [email protected]
> ┬ [email protected]
> ├─┬ [email protected]
> │ └─┬ [email protected]
> │ └── [email protected]
> └─┬ [email protected]
> └── [email protected]
> Even though the tree says it is in a Cordova 3.5.0, the same versions are
> found in 3.6.3
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
