Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerabilities in flux package

See original GitHub issue

There are the following vulnerabilities reported by npm audit on react-json-view package:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-json-view                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-json-view > flux > fbemitter > fbjs > isomorphic-fetch │
│               │ > node-fetch                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-json-view                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-json-view > flux > fbjs > isomorphic-fetch >           │
│               │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

It would be great to have it fixed once flux (https://github.com/facebook/flux/issues/504) is updated.

Issue Analytics

State:
Created 3 years ago
Reactions:17
Comments:7 (3 by maintainers)

Top GitHub Comments

3reactions

mac-s-gcommented, Jan 16, 2021

working on this now.

1reaction

mac-s-gcommented, Jan 19, 2021

that’s published. let me know if anything comes up with the changes from 1.19 to 1.20.
i updated a ton of dependencies on saturday which were included with 1.20.

good news: with the update to flux in 1.20.2, we’re down to 0 vulnerabilities (as reported by npm audit).

thanks everyone for nudging this along 😃

Top Results From Across the Web

flux - npm Package Health Analysis - Snyk

The npm package flux was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as...

Secure open source foundations: Flux case - Weaveworks

That is why concerns about open source as a potential vector for critical vulnerabilities have always existed despite Linus' law. Flux was ...

Security - Flux CD

Flux Security This document defines security reporting, handling, disclosure, and audit information for the Flux project and community.

12/Flux Security Architecture — Flux 0.13.0 documentation

This document describes the mechanisms used to secure Flux instances against unauthorized access and prevent privilege escalation and other attacks, ...

CVE-2022-22965 - Red Hat Customer Portal

A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using ......