Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

auditjs vulnerability warnings #2574

Closed
sirudog opened this issue Dec 29, 2018 · 2 comments
Closed

auditjs vulnerability warnings #2574

sirudog opened this issue Dec 29, 2018 · 2 comments

Comments

@sirudog
Copy link

sirudog commented Dec 29, 2018

Hello,

I use auditjs (https://www.npmjs.com/package/auditjs) in my CI build scripts.
This generates a vulnerability report for the package dependencies my project uses.
When the audit command is executed, it reports several warnings about lodash referenced by node-sass package.
The issue is mainly about node-sass using older/vulnerable version of lodash packages.
My question is if node-sass could be updated with a newer version of lodash (4.17.5 or newer), so that these audit warnings could be eliminated.

Here is the output of auditjs:

------------------------------------------------------------
[158/1242] lodash.clonedeep 4.5.0  [VULNERABLE]   2 known vulnerabilities affecting installed version

[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /node-sass/lodash.clonedeep

CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.

ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /node-sass/lodash.clonedeep
------------------------------------------------------------
------------------------------------------------------------
[769/1242] lodash.assign 4.2.0  [VULNERABLE]   2 known vulnerabilities affecting installed version

[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /node-sass/lodash.assign

CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.

ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /node-sass/lodash.assign
------------------------------------------------------------
------------------------------------------------------------
[770/1242] lodash.mergewith 4.6.1  [VULNERABLE]   2 known vulnerabilities affecting installed version

[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /node-sass/lodash.mergewith

CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.

ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /node-sass/lodash.mergewith
------------------------------------------------------------
@xzyfer
Copy link
Contributor

xzyfer commented Dec 29, 2018 via email

@nschonni
Copy link
Contributor

nschonni commented Jan 2, 2019

All the lodash dependencies are marked with ^ so they should all be updated to the latest 4.x release if you clear you dependencies and reinstall (or call npm update)

node-sass/package.json

Lines 63 to 65 in 7c1dd8e

"lodash.assign": "^4.2.0",
"lodash.clonedeep": "^4.3.2",
"lodash.mergewith": "^4.6.0",

@nschonni nschonni closed this as completed Jan 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants