Vulnerable dependent packages
See original GitHub issueCurrently socket.io through dependencies installs engine.io@1.6.11 which is installing accepts@1.14. I currently forked both socket.io and engine.io to get around this and called on those forked repos in my package.json. accepts@1.1.4 currently has a older version of negotiator@0.4.9 which is vulnerable to https://nodesecurity.io/advisories/106 and ws@1.1.0 which is vulnerable to https://nodesecurity.io/advisories/120. These are huge and easiliy implemented vulnerabilities hence why went to to trouble of forking two repos for one line change.
npm list ( before fork)
ββ¬ socket.io@1.4.8
β βββ¬ debug@2.2.0
β β βββ ms@0.7.1
β βββ¬ engine.io@1.6.11
β β βββ¬ accepts@1.1.4
β β β βββ¬ mime-types@2.0.14
β β β β βββ mime-db@1.12.0
β β β βββ negotiator@0.4.9
npm list (after fork)
βββ¬ socket.io@1.4.8 (git://github.com/greenlancer/socket.io.git#77b088993ae2f26ea28a7bee565837e8a9708e96)
β βββ¬ debug@2.2.0
β β βββ ms@0.7.1
β βββ¬ engine.io@1.6.11 (git://github.com/greenlancer/engine.io.git#2c0ae2972b20f6e843dffea17d11262adee3a381)
β β βββ¬ accepts@1.3.3
β β β βββ negotiator@0.6.1
caught with nsp
npm install nsp
nsp check
Issue Analytics
- State:
- Created 7 years ago
- Comments:8 (1 by maintainers)
Top Results From Across the Web
What are Vulnerable Dependencies?
When a security vulnerability is found in a third-party dependency, and a new version with a fix is released, it is the responsibility...
Read more >Vulnerable package dependencies [medium] - Acunetix
Description. One or more packages that are used in your web application are affected by known vulnerabilities. Please consult the details section for...
Read more >Vulnerable Dependency Management Cheat Sheet
Tools. This section lists several tools that can used to analyse the dependencies used by a project in order to detect the vulnerabilities....
Read more >Vulnerabilities in Dependencies: What You Need to Know
Here's what you need to know about the vulnerabilities in dependencies, third party components and open source.
Read more >Auditing package dependencies for security vulnerabilities
If you do not want to fix the vulnerability or update the dependent package yourself, open an issue in the package or dependent...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Relatively minor, but β1.14β vs β1.1.4β. In the world of forked projects, sometimes this is minor but telling that it may be a different project, so best to clarify. Thanks again!
Thanks!
On Thu, Oct 20, 2016 at 9:25 PM, Damien Arrachequesne < notifications@github.com> wrote:
The information contained in this transmission (including any attachments) is confidential and may be privileged. It is intended only for the use of the individual or entity named above. If you are not the intended recipient, dissemination, distribution, or copy of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of this message and its attachments and notify me immediately.