Security vulnerabilities in multiple libraries
sagarvilas opened this issue · 2 comments
Describe the bug
Hi unleash developers,
There are multiple libraries with critical security vulnerabilities in them. I would like to know if you plan to upgrade/replace those libraries. Below is a list of few of them.
express 4.19.2
es5-ext 0.10.64
inflight 1.0.6
multer 1.4.5-lts.1
revslidator 0.3.1
Steps to reproduce the bug
No response
Expected behavior
No response
Logs, error output, etc.
No response
Screenshots
No response
Additional context
No response
Unleash version
4.20.1
Subscription type
Open source
Hosting type
Self-hosted
SDK information (language and version)
No response
Hi.
So for security reports, where are you getting your reports? We run regular (daily) scans on our repos and we see no reports on these libraries.
I see from your self-reporting that you're using Unleash 4.20.1 which is more than 15 months old, 6.0.4 is the current, most up-to-date version of Unleash.
To address your specifically listed versions:
express 4.19.2 - most recent version of express, not getting replaced/removed, but will be kept up to date
es5-ext 0.10.64 - Most recent version of es5-ext. Used by memoizee, event-emitter so not getting removed
inflight 1.0.6 - Transitive dependency of glob, which is used by jest, and our make-fetch-happen (http client)
multer 1.4.5-lts1 - Handling multi-part uploads. We found that we aren't using it, so might very well be removed with 6.1.0 (due end of July)
revslidator - Couldn't find this in either our server, nor our frontend dependency tree.
Hi,
Thank you for the update, we are using Nexus IQ scan, I believe have stricter policies.
I will consider upgrading to version 6.1.0, that would get rid of at least two vulnerable libraries.