Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iot/mqtt_example reports high severity vulnerability - handlebars #1263

Closed
nkolban opened this issue May 4, 2019 · 4 comments · Fixed by #1282
Closed

iot/mqtt_example reports high severity vulnerability - handlebars #1263

nkolban opened this issue May 4, 2019 · 4 comments · Fixed by #1282
Assignees

Comments

@nkolban
Copy link

nkolban commented May 4, 2019

I'm following the recipe for installing the IoT mqtt_example. When I run npm install a high severity vulnerability is reported. Performing npm audit upon it, reports:

                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.0.14 <4.1.0 || >=4.1.2                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @google-cloud/nodejs-repo-tools [dev]                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @google-cloud/nodejs-repo-tools > nyc > istanbul-reports >   │
│               │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/755                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 5646 scanned packages
  1 vulnerability requires manual review. See the full report for details.

@fhinkel
Copy link
Contributor

fhinkel commented May 8, 2019

cc @gguuss

@gguuss
Copy link
Contributor

gguuss commented May 9, 2019

@hongalex Can we remove the nodejs-repo-tools?

@gguuss gguuss assigned hongalex and unassigned gguuss May 9, 2019
@gguuss
Copy link
Contributor

gguuss commented May 13, 2019

Looks like we'll need to update the dependencies within nodejs-repo-tools.

@hongalex
Copy link
Contributor

hongalex commented May 14, 2019

nodejs-repo-tools got patched with a newer version of nyc. Once that hits npm, I'll make a PR and close this issue.

In addition, we're also slowly moving NodeJS tests off of using nodejs-repo-tools since we're mostly using it to spawn child processes which we can do with the child_process library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants