Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
vulnerability error
See original GitHub issueHi, there’s a vulnerability error with one of your dependencies.
» npx nsp check
npx: installed 115 in 9.19s
(+) 1 vulnerability found
┌────────────┬────────────────────────────────────────────────────────────────────┐
│ │ Memory Exposure │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name │ tunnel-agent │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS │ 5 (Medium) │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed │ 0.4.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <0.6.0 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched │ >=0.6.0 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path │ nuxt-imagemin@0.1.2 > imagemin-webpack-plugin@2.1.1 > │
│ │ imagemin-optipng@5.2.1 > optipng-bin@3.1.4 > bin-build@2.2.0 > │
│ │ download@4.4.3 > caw@1.2.0 > tunnel-agent@0.4.3 │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/598 │
└────────────┴────────────────────────────────────────────────────────────────────┘
Related: https://github.com/wemake-services/nuxt-imagemin/issues/2
Issue Analytics
- State:
- Created 5 years ago
- Reactions:2
- Comments:7 (6 by maintainers)
Top Results From Across the Web
Improper Error Handling - OWASP Foundation
Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal...
Read more >Application error messages - Vulnerabilities - Acunetix
Application error or warning messages may expose sensitive information about an application's internal workings to an attacker. These messages may also contain ...
Read more >Error Handling Flaws - Information and How to Fix - Veracode
Unfortunately, when errors are not handled in a secure manner, they can expose sensitive information – sometimes leading to vulnerabilities – to attackers....
Read more >Solving the Vulnerability Problem - True Digital Security
Solving the Vulnerability Problem · Not Enough Time · Networks are Constantly Changing · Gaps in Specialized Knowledge · When Positives Can't Be...
Read more >Vulnerability (computing) - Wikipedia
Vulnerabilities are flaws in a computer system that weaken the overall security of the ... Security bug (security defect) is a narrower concept....
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I’m going to see what I can do to mitigate it, but i’m pretty sure that unfortunately this has to be fixed upstream in my dependencies.
That being said, it seems there is no instance where user-provided authentication can be used with optipng-bin (which is what is using the bin-build/download packages where this is used), so this vulnerability shouldn’t impact anyone because of my plugin (in other words, this plugin, nor any of its dependencies, ever call the vulnerable line of code, so it can’t impact us)
I think if you run
npm --depth 9999 update <package>@<version>it will update the package for all depths of dependencies.