Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Warnings for vulnerabilities in Ubuntu 20.04

See original GitHub issue

The app works correctly, but at the time of installing it, +22 warnings were presented for vulnerabilities, most of which I solved with --force in Ubuntu 20.04. I cloned the project this way: git clone https://github.com/Rob--W/cors-anywhere.git With this I get the project updated or should I download it manually from here?

Issue Analytics

State:
Created 3 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

4reactions

Rob--Wcommented, Jul 15, 2020

The only non-dev dependency reported by npm audit is http-proxy:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1486                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

As mentioned in https://www.npmjs.com/advisories/1486, the server may crash when the proxyReq.setHeader method is used. My library doesn’t use this event+method and is therefore not vulnerable.

2reactions

Rob--Wcommented, Jul 19, 2020

Do not blindly bump dependencies. As mentioned in https://github.com/Rob--W/cors-anywhere/issues/254#issuecomment-659037020, there is only one non-dev dependency. devDependencies are not used when you use CORS Anywhere, only if you develop it and run tests.

CORS Anywhere uses a specific version of http-proxy because it hooks some internals in order to provide the necessary functionality. There is a chance that bumping the http-proxy version would result in broken functionality, so don’t bump it.

This report is a duplicate of #253 by the way, so I’m going to close this as a duplicate of that other issue. Thanks for contributing useful comments.

Top Results From Across the Web

Ubuntu Security Notices

Developers issue an Ubuntu Security Notice when a security issue is fixed in an official Ubuntu package. To report a security vulnerability in...

Canonical Ubuntu Linux version 20.04 : Security vulnerabilities

# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score 1 CVE‑2022‑0492 287 Bypass 2022‑03‑03 2022‑10‑19 6.9 2 CVE‑2021‑44420 Bypass 2021‑12‑08 2022‑07‑12 7.5 3...

Red Hat, Ubuntu issue warnings over Linux kernel vulnerability

Red Hat and Ubuntu have issued warnings about a serious vulnerability in their Linux distributions. It's described as a heap-based buffer ...

Ubuntu Security Advisory (AV22-536)

Between 20 and 25 September 2022, Ubuntu published Security Notices to address vulnerabilities in the Linux kernel affecting the following ...

Ubuntu Security Advisories - Linuxlookup

USN-5638-1 fixed a vulnerability in Expat. This update provides the corresponding updates for Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, ...