brianloveswords/base64url

Vunerability "npm audit"

Closed this issue · 3 comments

I'm trying to install gh-pages and received from npm audit the message:
=== npm audit security report ===
Moderate: Out-of-bounds Read
Package: base64url
Patched in: >=3.0.0
Dependency of: gh-pages [dev]
Path: gh-pages > base64url
More info: https://nodesecurity.io/advisories/658

[!] 1 vulnerability found - Packages audited: 47 (47 dev, 0 optional)
Severity: 1 Moderate

The message is accurate in that the vulnerability is only an issue when used in Node.js versions up to and including Node 4. These days (LTS schedule: https://github.com/nodejs/Release) Node 4 is not even support any longer.

For many people then the proper outcome is to evaluate your use, and if you're on Node 6, 8, 10 - the modern ones, to essentially ignore as not impacted. It's too bad though that npm will probably still continue to have this message, as the vulnerability data does not seem to take into account the engine version.

I wonder if it would help to do something such as update package.json to add an engines clause, with the hope that after publishing a minor increment to 3.0.1, the CVE associated with the package would no longer apply with such an engine check...

i.e. adding { "engines" : { "node" : ">= 6.0.0" } } to package.json, or if need really be, adding some kind of explicit check in the library?

This has been fixed in master, soon to be fixed in 3.0.1