Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerability in passport-azure-ad > bunyan > mv > mkdirp > minimist dependency chain

See original GitHub issue

Core Library

Passport Azure AD (passport-azure-ad)

Core Library Version

4.3.1

Wrapper Library

Not Applicable

Wrapper Library Version

None

Description

The following dependency chaining originating in passport-azure-ad introduces a security vulnerability which is getting flagged by GitHub’s Dependabot: passport-azure-ad > bunyan > mv > mkdirp > minimist

The issue was reported to bunyan a while back but it looks like the project’s maintainers have no interest in fixing it (or the resources to do so): https://github.com/trentm/node-bunyan/issues/667

Can you please consider removing passport-azure-ad’s dependency on bunyan in order to eliminate this high severity vulnerability?

image

Error Message

No response

Msal Logs

No response

MSAL Configuration

N/A

Relevant Code Snippets

N/A

Reproduction Steps

N/A

Expected Behavior

N/A

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Source

Internal (Microsoft)

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:9 (6 by maintainers)

github_iconTop GitHub Comments

2reactions
erik-neumanncommented, Apr 11, 2022

We’re running into this as well. Various high severity security issues are reported by our code / dependency analysis. This is also affecting almost any of products, and authentication isn’t on of the topics where I would say security is minor important or critical. Any idea of a timeline, or is there any workaround we can implement until this is fixed?

0reactions
jasonnuttercommented, Apr 14, 2022

@erik-neumann Thanks for confirming. We are aware of the issues with async and request, so I will close this.

Read more comments on GitHub >

github_iconTop Results From Across the Web

mv dependency vulnerable #667 - trentm/node-bunyan - GitHub
I created an issue on that project: andrewrk/node-mv#33 mv hasn't been updated in 6 years. It has a vulnerable version of mkdirp which...
Read more >
Prototype pollution vulnerability in minimist npm package - Snyk
This security vulnerability that manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype.
Read more >
Minimist vulnerability - npm - Stack Overflow
We are facing critical vulnerability in minimist which is added as ... have no security risk if you aren't using bower, as the...
Read more >
Fixing security vulnerabilities in npm dependencies ... - ITNEXT
In my case minimist was a dependency of knexnest > knex module. This does fix the vulnerability issue, but when I run npm...
Read more >
Fixing security vulnerabilities in npm ... - DEV Community ‍ ‍
0) -> mkdirp(0.5.1) -> minimist(0.0.8) — the vulnerable version. Resolutions key. 3) And finally the fix was:.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Fix for multiple reload of application

Next page

Outdated and incorrect documentation on distributed caching in `@azure/msal-node`