Upgrade unicode to v10.0.0 to resolve https MITM vulnerability

Question

Upgrade unicode to v10.0.0 to resolve https MITM vulnerability

cevn opened this issue 7 years ago · 6 comments

https://snyk.io/vuln/npm:unicode:20161219

Answer 1 · 2017-10-30T15:43:28.000Z

Where exactly am I using unicode?

Answer 2 · 2017-10-30T15:59:21.000Z

vendor/unicode.js :\ I don't understand how it was generated or I would make my own PR. Also worth mentioning is that this package is being flagged for this unicode vuln in our scans, but personally I think it's a false positive based on how the unicode package works and also on how this package includes it, so you can decide whether it's really worth the effort to fix.

Answer 3 · 2017-11-09T18:39:16.000Z

Yes this is an issue for me too. The unicode 6.3.0 sets off vulnerability scanners even though it no longer has the insecure http:// URL

Can you provide any hints for how the unicode.js file is generated?

Answer 4 · 2017-11-09T18:40:15.000Z

To be clear, the issue is that the newest npm relies on parse-json@2.2.0 which contains the bad version of unicode

Answer 5 · 2017-11-09T20:04:45.000Z

My sad short term solution

RUN cd /tmp && \
    git clone https://github.com/sindresorhus/parse-json.git && \
    rm -r /usr/lib/node_modules/npm/node_modules/libnpx/node_modules/yargs/node_modules/read-pkg-up/node_modules/read-pkg/node_modules/load-json-file/node_modules/parse-json && \
    cp -r parse-json /usr/lib/node_modules/npm/node_modules/libnpx/node_modules/yargs/node_modules/read-pkg-up/node_modules/read-pkg/node_modules/load-json-file/node_modules/parse-json

Answer 6 · 2017-11-09T20:16:27.000Z

This is no longer relevant as the unicode.js file is gone in the latest release.