Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[adapter-node-http] Upgrade nock version to 12.0.3+ to fix Critical CVE-2020-7598 #317

Closed
mleneveut opened this issue Mar 20, 2020 · 4 comments · Fixed by #319
Closed

[adapter-node-http] Upgrade nock version to 12.0.3+ to fix Critical CVE-2020-7598 #317

mleneveut opened this issue Mar 20, 2020 · 4 comments · Fixed by #319
Labels
dependency issue 📦 adapter-node-http

Comments

@mleneveut
Copy link

Description

There is a CVE-2020-7598 on minimist, which is fixed in mkdirp 0.5.3 or 1.x. Adapter-node-http uses nock@11.7.2 :
https://github.com/Netflix/pollyjs/blob/master/packages/%40pollyjs/adapter-node-http/package.json#L49

Could we upgrade nock@12.0.3 which removes mkdirp and so will fix the CVE ?

I don't know if this CVE is exploitable but it fails in our security scanner (Anchore) and our CISO is strict about that, no matter what.

Relevant Links

https://nvd.nist.gov/vuln/detail/CVE-2020-7598

Environment

Node.js v12.16.1
linux 4.4.0-176-generic
npm  6.13.4
yarn  1.22.4
@mleneveut
Copy link
Author

Node and npm are fixing their dependencies here :

nodejs/node#32296
npm/cli@e111676

@offirgolan
Copy link
Collaborator

Thanks for reporting this issue. I'll take a look first thing next week into upgrading nock.

@offirgolan offirgolan mentioned this issue Mar 21, 2020
Merged
9 tasks
@offirgolan
Copy link
Collaborator

Released with v4.0.4

@mleneveut
Copy link
Author

Thanks a lot for your quick answer !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependency issue 📦 adapter-node-http
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(adapter-node-http): Bump nock version Netflix/pollyjs
2 participants
@offirgolan @mleneveut