Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerability in dependency tree

See original GitHub issue

npm audit reports finding 2 vulnerabilities

Although the security warning relates to Lodash, it actuall the Vorpal package causing the problem - it hasn’t been updated for months, and appears to be dead

Expected Behavior

There should be no vulnerabilities.

Current Behavior

npm reports

found 2 vulnerabilities (1 low, 1 moderate) in 115 scanned packages 2 vulnerabilities require manual review. See the full report for details.

Affected packages

cli
core
prompt
config-angular

Possible Solution

Steps to Reproduce (for bugs)

Create a new project (or use an existing one)
npm install --save-dev @commitlint/prompt
npm audit

output ->

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @commitlint/prompt [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @commitlint/prompt > vorpal > inquirer > lodash              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/782                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @commitlint/prompt [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @commitlint/prompt > vorpal > inquirer > lodash              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 low, 1 moderate) in 115 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

Context

Your Environment

Executable	Version
`commitlint/prompt --version`	7.5.0
`git --version`	2.17.2
`node --version`	11.2.0

Issue Analytics

State:
Created 5 years ago
Reactions:11
Comments:22 (4 by maintainers)

Top GitHub Comments

5reactions

superliuwrcommented, Oct 3, 2019

Hi guys, I understand porting to TS has a higher priority but this issue stops us from using commitlint in our products. As mentioned at the vorpal issue, is it possible to switch to use the fork before we have a proper rewrite?

2reactions

escapedcatcommented, Nov 5, 2021

@iTsFILIPOficial 🎉 ! Thanks for the quick feedback!

My idea would be to merge this and a create next-release. Then you could test that again.
Would try to create this during the weekend.

Top Results From Across the Web

Vulnerabilities in Dependencies: What You Need to Know

The risk of using dependencies with known vulnerabilities has been included in the OWASP top 10 list of security risks. It has been...

Investigate Dependencies in the Application Dependency Tree

LFX Security looks for vulnerabilities in your open-source dependencies and identifies the vulnerabilities. The Dependency Tree dashboard provides detailed ...

78% of vulnerabilities are found in indirect dependencies ...

Snyk has scanned over a million snapshot projects and has discovered that vulnerabilities in indirect dependencies account for 78% of overall ...

Fixing vulnerabilities found in a dependency tree - ITNEXT

Fixing vulnerabilities found in a dependency tree. I'm working for a company that produces financial cloud solutions. We're making a new app ...

Remediating vulnerable dependencies

In operating a system with a dependency scan you'll find that vulnerabilities do pop up in your dependencies, and this is a guide...