[jira] [Commented] (AVRO-2758) Bump istanbul to 0.4.5

Wed, 26 Feb 2020 12:44:28 -0800 

    [ 
https://issues.apache.org/jira/browse/AVRO-2758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17045884#comment-17045884
 ] 

Hudson commented on AVRO-2758:
------------------------------

SUCCESS: Integrated in Jenkins build AvroJava #837 (See 
[https://builds.apache.org/job/AvroJava/837/])
AVRO-2758: Bump istanbul to 0.4.5 (iemejia: 
[https://github.com/apache/avro/commit/17be402804cd0264d89e94d7b6f8b2d595008656])
* (edit) lang/js/package-lock.json
* (edit) lang/js/package.json


> Bump istanbul to 0.4.5
> ----------------------
>
>                 Key: AVRO-2758
>                 URL: https://issues.apache.org/jira/browse/AVRO-2758
>             Project: Apache Avro
>          Issue Type: Improvement
>          Components: js
>    Affects Versions: 1.9.2
>            Reporter: Kengo Seki
>            Assignee: Kengo Seki
>            Priority: Major
>             Fix For: 1.10.0, 1.9.3
>
>
> As reported in AVRO-2642, istanbul 0.4.4 or earlier has some vulnerabilities 
> as follows:
> {code}
> sekikn@0327d61710c0:~/avro/lang/js$ grep istanbul package.json 
>     "cover": "istanbul cover _mocha -- -f interop -i",
>     "istanbul": "^0.3.19",
> sekikn@0327d61710c0:~/avro/lang/js$ npm i
> audited 361 packages in 1.044s
> 4 packages are looking for funding
>   run `npm fund` for details
> found 3 vulnerabilities (1 moderate, 2 high)
>   run `npm audit fix` to fix them, or `npm audit` for details
> sekikn@0327d61710c0:~/avro/lang/js$ npm audit
>                                                                               
>   
>                        === npm audit security report ===                      
>   
>                                                                               
>   
> ┌──────────────────────────────────────────────────────────────────────────────┐
> │                                Manual Review                                
>  │
> │            Some vulnerabilities require your attention to resolve           
>  │
> │                                                                             
>  │
> │         Visit https://go.npm.me/audit-guide for additional guidance         
>  │
> └──────────────────────────────────────────────────────────────────────────────┘
> ┌───────────────┬──────────────────────────────────────────────────────────────┐
> │ High          │ Regular Expression Denial of Service                        
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Package       │ minimatch                                                   
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Patched in    │ >=3.0.2                                                     
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Dependency of │ istanbul [dev]                                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Path          │ istanbul > fileset > minimatch                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ More info     │ https://npmjs.com/advisories/118                            
>  │
> └───────────────┴──────────────────────────────────────────────────────────────┘
> ┌───────────────┬──────────────────────────────────────────────────────────────┐
> │ Moderate      │ Denial of Service                                           
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Package       │ js-yaml                                                     
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Patched in    │ >=3.13.0                                                    
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Dependency of │ istanbul [dev]                                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Path          │ istanbul > js-yaml                                          
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ More info     │ https://npmjs.com/advisories/788                            
>  │
> └───────────────┴──────────────────────────────────────────────────────────────┘
> ┌───────────────┬──────────────────────────────────────────────────────────────┐
> │ High          │ Code Injection                                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Package       │ js-yaml                                                     
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Patched in    │ >=3.13.1                                                    
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Dependency of │ istanbul [dev]                                              
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ Path          │ istanbul > js-yaml                                          
>  │
> ├───────────────┼──────────────────────────────────────────────────────────────┤
> │ More info     │ https://npmjs.com/advisories/813                            
>  │
> └───────────────┴──────────────────────────────────────────────────────────────┘
> found 3 vulnerabilities (1 moderate, 2 high) in 361 scanned packages
>   3 vulnerabilities require manual review. See the full report for details.
> {code}
> As that issue said, we have to replace istanbul with an alternative in the 
> future, but at least we should upgrade it to avoid these vulnerabilities for 
> now.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to