Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High severity vulnerabilities in dependencies #340

Open
m-hauck opened this issue May 31, 2022 · 3 comments
Open

High severity vulnerabilities in dependencies #340

m-hauck opened this issue May 31, 2022 · 3 comments

Comments

@m-hauck
Copy link

m-hauck commented May 31, 2022

Hi there,

I get the following four high severity vulnerabilities after installing the latest version 1.14.1.

Is there any plan to fix the issues with updated dependencies?

# npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/winston/node_modules/async
  winston  0.4.0 - 2.4.5 || 3.0.0-rc0 - 3.0.0-rc6
  Depends on vulnerable versions of async
  node_modules/winston
    browserstack-cypress-cli  >=1.1.4
    Depends on vulnerable versions of requestretry
    Depends on vulnerable versions of winston
    node_modules/browserstack-cypress-cli

requestretry  <7.0.0
Severity: high
Cookie exposure in requestretry - https://github.com/advisories/GHSA-hjp8-2cm3-cc45
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/requestretry

4 high severity vulnerabilities
@pranavj1001
Copy link
Member

Hey @m-hauck, can you please try upgrading to v1.16.0. We have bumped up the version and on running npm audit, we can see no high or critical vulnerabilities now.

@m-hauck
Copy link
Author

m-hauck commented Jun 30, 2022

Hi @pranavj1001, thanks for the update. This fixes the four high severity vulnerabilities for me. Now I only got five moderate severity vulnerabilities left.

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        browserstack-cypress-cli  >=1.11.0
        Depends on vulnerable versions of update-notifier
        node_modules/browserstack-cypress-cli

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Is there any plan on fixing those as well?

@pranavj1001
Copy link
Member

Hey @m-hauck, we don't have plans for fixing this in the near future. Updating update-notifier library is introducing some breaking changes for browserstack-cypress-cli. We'll revisit this. Till then, I'm keeping this issue open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@m-hauck @pranavj1001