Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependency vulnerability within jest@23.4.1 #6753

Closed
bclevering opened this issue Jul 25, 2018 · 6 comments
Closed

dependency vulnerability within jest@23.4.1 #6753

bclevering opened this issue Jul 25, 2018 · 6 comments

Comments

@bclevering
Copy link

bclevering commented Jul 25, 2018
edited
Loading

could you please update the dependencies of jest@23.4.1

Prototype Pollution

Vulnerable module: extend
Introduced through: jest@23.4.1
Detailed paths
Introduced through: Introduced through: @4.0.0 › jest@23.4.1 › jest-cli@23.4.1 › jest-runtime@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request-promise-core@1.1.1 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-runtime@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-runtime@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-runner@23.4.1 › jest-runtime@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request-promise-core@1.1.1 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-runner@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-runner@23.4.1 › jest-runtime@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-runner@23.4.1 › jest-runtime@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-runner@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request-promise-core@1.1.1 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-runner@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request-promise-core@1.1.1 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-config@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request-promise-core@1.1.1 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request-promise-native@1.0.5 › request@2.87.0 › extend@3.0.1

jest@23.4.1 › jest-cli@23.4.1 › jest-environment-jsdom@23.4.0 › jsdom@11.11.0 › request@2.87.0 › extend@3.0.1

Remediation: Your dependencies are out of date, otherwise you would be using a newer extend than extend@3.0.1. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.

Overview
extend is a port of the classic extend() method from jQuery.

Affected versions of this package are vulnerable to Prototype Pollution. Utilities function can be tricked into modifying the prototype of "Object" when the attacker control part of the structure passed to these function. This can let an attacker add or modify existing property that will exist on all object.

Remediation
Upgrade extend to versions 2.0.2, 3.0.2 or higher.

https://snyk.io/vuln/npm:extend:20180424

also referenced
#6743
@Berkmann18
Copy link

Berkmann18 commented Jul 25, 2018
edited
Loading

The prototype pollution vulnerability was also mentioned in #6743 but in regards to other packages.
Alongside with another vulnerability, all of them were flagged to the relevant repos.

@bclevering
Copy link
Author

bclevering commented Jul 25, 2018
edited
Loading

Hey @Berkmann18, thank you i will bookmark your issue too #6743

@bclevering bclevering reopened this Jul 25, 2018
@thymikee
Copy link
Collaborator

Jest 23 is 2 versions behind now, let's move on.

@jimmyandrade
Copy link

I have installed jest 26.4.0 with npm install --save-dev jest and received this:

npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142

@SimenB
Copy link
Member

SimenB commented Aug 17, 2020

You can follow jsdom/jsdom#2792 which is where we get it from (transitively)

@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@SimenB @jimmyandrade @thymikee @Berkmann18 @bclevering