Kengo Seki created AVRO-2758:
--------------------------------
Summary: Bump istanbul to 0.4.5
Key: AVRO-2758
URL: https://issues.apache.org/jira/browse/AVRO-2758
Project: Apache Avro
Issue Type: Improvement
Components: js
Reporter: Kengo Seki
Assignee: Kengo Seki
As reported in AVRO-2642, istanbul 0.4.4 or earlier has some vulnerabilities as
follows:
{code}
sekikn@0327d61710c0:~/avro/lang/js$ grep istanbul package.json
"cover": "istanbul cover _mocha -- -f interop -i",
"istanbul": "^0.3.19",
sekikn@0327d61710c0:~/avro/lang/js$ npm i
audited 361 packages in 1.044s
4 packages are looking for funding
run `npm fund` for details
found 3 vulnerabilities (1 moderate, 2 high)
run `npm audit fix` to fix them, or `npm audit` for details
sekikn@0327d61710c0:~/avro/lang/js$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ istanbul [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ istanbul > fileset > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.13.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ istanbul [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ istanbul > js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/788 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Code Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.13.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ istanbul [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ istanbul > js-yaml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/813 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 moderate, 2 high) in 361 scanned packages
3 vulnerabilities require manual review. See the full report for details.
{code}
As that issue said, we have to replace istanbul with an alternative in the
future, but at least we should upgrade it to avoid these vulnerabilities for
now.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
