Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3 high severity vulnerabilities in this package #280

Open
pboymt opened this issue Apr 26, 2022 · 3 comments
Open

3 high severity vulnerabilities in this package #280

pboymt opened this issue Apr 26, 2022 · 3 comments

Comments

@pboymt
Copy link

pboymt commented Apr 26, 2022
edited
Loading

I got a message 3 high severity vulnerabilities when I install this package.

# npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/async
  @devicefarmer/adbkit-monkey  *
  Depends on vulnerable versions of async
  node_modules/@devicefarmer/adbkit-monkey
    @devicefarmer/adbkit  *
    Depends on vulnerable versions of @devicefarmer/adbkit-monkey
    node_modules/@devicefarmer/adbkit

3 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Seems like a very dangerous security problem in package async in @devicefarmer/adbkit-monkey. How to fix it?
@OxNinja
Copy link

OxNinja commented May 9, 2022

This vulnerability is not related to this project, but about the async package, and as the line says, there is "No fix available" for the moment.

@UrielCh
Copy link

UrielCh commented May 16, 2022

"No fix available" ?

I get:

pnpm audit  
No known vulnerabilities found

in @u4/adbkit-monkey
source: https://github.com/UrielCh/adbkit-monkey

Since I do not know what is the purpose of adbkit-monkey, I never promote it.

@OxNinja
Copy link

OxNinja commented May 17, 2022

I think you might be using the wrong project @UrielCh
From a direct fork of the repo:

# npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/async
  @devicefarmer/adbkit-monkey  *
  Depends on vulnerable versions of async
  node_modules/@devicefarmer/adbkit-monkey
    @devicefarmer/adbkit  *
    Depends on vulnerable versions of @devicefarmer/adbkit-monkey
    node_modules/@devicefarmer/adbkit

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install mocha@10.0.0, which is a breaking change
node_modules/nanoid
  mocha  8.2.0 - 9.1.4
  Depends on vulnerable versions of nanoid
  node_modules/mocha

5 vulnerabilities (2 moderate, 3 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@UrielCh @pboymt @OxNinja