Request dependency <=2.68 opens to potential memory exposure vulnerability

[evilaliv3]

Do you want to request a feature or report a bug?
This ticket is to report a a potential security vulnerability caused by the request dependency.

What is the current behavior?
Various of the dependencies used by angular.js make use of a vulnerable version of the request package (<2.68) that allow potential memory exposure.

Involved dependencies are: insight, fsevents

details:

• https://snyk.io/vuln/npm:request:20160119
• Update request to 2.74.0 sindresorhus/insight#48
• Request dependency <=2.68 opens to potential memory exposure vulnerability fsevents/fsevents#145

In order to address a short term fix it is suggested to modify the current npm shrinkwrap to use request==2.74.0

[gkalpak]

Hm...I see different packages affecting as:

• bower (directly and via bower-registry-client)
• dgeni-packages (via winston)
• karma-sauce-launcher (via wd)

Although these are devDependencies, so only affecting the people working on the Angular codebase.

[evilaliv3]

yes i agree; but when the relevant developers are impacted all the community is impacted.

[mgol]

I'm updating the Karma-related dependencies in #14952, I'll add other related packages in a separate commit as well.

I doubt there's any actual big vulnerability here, though; we don't use request ourselves but via various packages and only to build stuff or connect to Sauce Labs so there may very well not be any way to exploit that.

[evilaliv3]

for what relates bower i've provided a patch: evilaliv3/bower@5a348e0

the ticket to be monitored is: bower/bower#2336

[mgol]

Ah, so it's not fixed in Bower, I just haven't noticed it as it now bundles its all dependencies itself under bower/lib/node_modules; pretty weird. TBH I'd just try to get rid of Bower in favor of npm but, unfortunately, we're relying on package aliases which is not and will not be supported by npm.