Vulnerability netmask npm package vulnerable to octal input data

Question

Vulnerability netmask npm package vulnerable to octal input data

jialinNEU opened this issue 4 years ago · 4 comments

When running npm audit command, found this high severity vulnerability (same as issue title) in urllib package. Any further plan to fix this issue? Thx

Answer 1 · 2021-04-02T14:32:47.000Z

https://snyk.io/vuln/SNYK-JS-NETMASK-1089716 is the vulnerability, which suggests updating to 2.0.1 will resolve the issue.

Answer 2 · 2021-04-02T14:36:54.000Z

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ netmask npm package vulnerable to octal input data           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ netmask                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ proxy-agent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ proxy-agent > pac-proxy-agent > pac-resolver > netmask       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1658                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Answer 3 · 2021-04-02T14:38:53.000Z

Follow this ticket and this library can be updated when proxy-agent is resolved TooTallNate/node-proxy-agent#61

Answer 4 · 2021-04-02T14:46:12.000Z

Actually looks like all we need to do is upgrade proxy-agent to v4 and it should pull in the security fix.