[jira] [Updated] (AVRO-2758) Bump istanbul to 0.4.5

Fri, 21 Feb 2020 07:00:26 -0800 

     [ 
https://issues.apache.org/jira/browse/AVRO-2758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kengo Seki updated AVRO-2758:
-----------------------------
    Status: Patch Available  (was: Open)

> Bump istanbul to 0.4.5
> ----------------------
>
>                 Key: AVRO-2758
>                 URL: https://issues.apache.org/jira/browse/AVRO-2758
>             Project: Apache Avro
>          Issue Type: Improvement
>          Components: js
>            Reporter: Kengo Seki
>            Assignee: Kengo Seki
>            Priority: Major
>
> As reported in AVRO-2642, istanbul 0.4.4 or earlier has some vulnerabilities 
> as follows:
> {code}
> sekikn@0327d61710c0:~/avro/lang/js$ grep istanbul package.json 
>     "cover": "istanbul cover _mocha -- -f interop -i",
>     "istanbul": "^0.3.19",
> sekikn@0327d61710c0:~/avro/lang/js$ npm i
> audited 361 packages in 1.044s
> 4 packages are looking for funding
>   run `npm fund` for details
> found 3 vulnerabilities (1 moderate, 2 high)
>   run `npm audit fix` to fix them, or `npm audit` for details
> sekikn@0327d61710c0:~/avro/lang/js$ npm audit
>                                                                               
>   
>                        === npm audit security report ===                      
>   
>                                                                               
>   
> ┌──────────────────────────────────────────────────────────────────────────────┐
> │                                Manual Review                                
>  │
> │            Some vulnerabilities require your attention to resolve           
>  │
> │                                                                             
>  │
> │         Visit https://go.npm.me/audit-guide for additional guidance         
>  │
> └──────────────────────────────────────────────────────────────────────────────┘
> ┌───────────────┬──────────────────────────────────────────────────────────────┐
> │ High          │ Regular Expression Denial of Service                        
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Package       │ minimatch                                                   
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Patched in    │ >=3.0.2                                                     
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Dependency of │ istanbul [dev]                                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Path          │ istanbul > fileset > minimatch                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ More info     │ https://npmjs.com/advisories/118                            
>  │
> └───────────────┴──────────────────────────────────────────────────────────────┘
> ┌───────────────┬──────────────────────────────────────────────────────────────┐
> │ Moderate      │ Denial of Service                                           
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Package       │ js-yaml                                                     
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Patched in    │ >=3.13.0                                                    
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Dependency of │ istanbul [dev]                                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Path          │ istanbul > js-yaml                                          
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ More info     │ https://npmjs.com/advisories/788                            
>  │
> └───────────────┴──────────────────────────────────────────────────────────────┘
> ┌───────────────┬──────────────────────────────────────────────────────────────┐
> │ High          │ Code Injection                                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Package       │ js-yaml                                                     
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Patched in    │ >=3.13.1                                                    
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Dependency of │ istanbul [dev]                                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Path          │ istanbul > js-yaml                                          
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ More info     │ https://npmjs.com/advisories/813                            
>  │
> └───────────────┴──────────────────────────────────────────────────────────────┘
> found 3 vulnerabilities (1 moderate, 2 high) in 361 scanned packages
>   3 vulnerabilities require manual review. See the full report for details.
> {code}
> As that issue said, we have to replace istanbul with an alternative in the 
> future, but at least we should upgrade it to avoid these vulnerabilities for 
> now.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to