Security Vulnerability in version 2.1.0

Question

Security Vulnerability in version 2.1.0

simonespa opened this issue 6 years ago · 2 comments

Summary

By running npm audit in https://github.com/bbc/sounds-nav - that uses bba-a11y version 2.1.0 as dev dependency - I found the following security vulnerability:

│ High │ Denial of Service
│ Package │ https-proxy-agent
│ Patched in │ >=2.2.0
│ Dependency of │ bbc-a11y [dev]
│ Path │ bbc-a11y > httpism > https-proxy-agent
│ More info │ https://nodesecurity.io/advisories/593

Expected Behaviour

By adding bbc-a11y as a dev dependency in a project, the npm audit command should not find any vulnerability related to it

Possible Solution

Read the suggested solution here https://nodesecurity.io/advisories/593

Steps to Reproduce (for bugs)

Run npm audit within https://github.com/bbc/sounds-nav

Context & Motivation

This fix will have an impact on the security point of view.

Answer 1 · 2018-07-06T09:22:28.000Z

Hi @spa-simone
We only recently updated all the dependencies, so it's annoying that we've got a vulnerability already!
If you'd like to submit a PR, that'd be fab.

Answer 2 · 2018-08-03T13:46:26.000Z

Hi @spa-simone
I just had a look at this and there's a couple of high dependencies now, but even if we update all our direct dependencies, they still exist.