New vulnerabilities in dependent versions of Moment.js and sync-exec (which is probably not needed by node anymore)

Question

New vulnerabilities in dependent versions of Moment.js and sync-exec (which is probably not needed by node anymore)

Closed this issue 5 years ago · 3 comments

$ npm audit

                   === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ moment │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.19.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gradle [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gradle > xutil > moment │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/532 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Tmp files readable by other users │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ sync-exec │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gradle [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gradle > xutil > ipv4 > copy-paste > sync-exec │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/310 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 low, 1 moderate) in 305 scanned packages
2 vulnerabilities require manual review. See the full report for details.
$

Answer 1 · 2019-07-31T04:17:02.000Z

I have the same issue, and have been working through it for days to no avail.

Answer 2 · 2019-08-01T08:47:47.000Z

the dependency is:

gradle > xutil > ipv4 > copy-paste > sync-exec

last update by copy-paste is in 2016 and this issue is already raised there:
https://github.com/xavi-/node-copy-paste/issues/61

sync-exec has not been updated since 2015:
https://github.com/gvarsanyi/sync-exec

we could probably change copy-paste to something else in ipv4? @xudafeng

Answer 3 · 2020-05-02T14:10:59.000Z

@SailingSteve @paradite @inkeddrawnfish

5d392aa