Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Library is Vulnerable Due To Unneeded Dependency

See original GitHub issue

Describe the bug

Please move dependency on:

        "decompress": "4.2.x",
        "decompress-targz": "4.1.x",

from:

    "dependencies": {

to:

    "devDependencies": {

Reasons:

They are only used in prepublish.js
Any product that includes zookeeper is vulnerable due to dependency on decompress.

To Reproduce Steps to reproduce the behavior:

Create a Docker Image with zookeeper dependency
Run X-Ray scanner

Expected behavior

Dependencies only used in build environment should be in devDependecies
zookeeper should not depend on vulnerable packages

Screenshots Found by X-Ray in JFrog.

Desktop (please complete the following information):

OS: Linux
Node.js version: v14.16.1
C/C++ compiler and version: n/a

Issue Analytics

State:
Created 2 years ago
Comments:17

Top GitHub Comments

1reaction

DavidVujiccommented, May 28, 2021

I’m closing this issue, since the original question about vulnerability is ✔️

Please reopen if you think it need any actions.

1reaction

DavidVujiccommented, May 28, 2021

Sorry, my bad. But is that npm install or npm run install? Normally npm install does not include buld, so I’m confused. I’ll have to check, what really happens…

No worries!

The zookeeper build command is just an internally used script, and it is triggered by the “official” install script used by the ones that has added it as a dependency.

So, when you install the dependencies of your app, each one of them will run their own install behind the scenes.

Top Results From Across the Web

Libraries & Application Security, Part 3: Unused Libraries

This is the third blog posting in a series about vulnerable libraries. Click here for part one on known vulnerabilities inside libraries.

A06 Vulnerable and Outdated Components - OWASP Top 10 ...

Remove unused dependencies, unnecessary features, components, files, and documentation. Continuously inventory the versions of both client-side and server-side ...

Best practices for managing Java dependencies - Snyk

In this article, I'll give you some advice and best practices for dealing with Java dependencies in your project.

Beware of Malicious or Vulnerable Third Party Dependencies

Beware of Malicious or Vulnerable Third Party Dependencies · Malicious open-source libraries and container images · Unpatched vulnerabilities.

Software Dependencies: Risks & Security - Rick's Cloud

Outdated code library : This is a scenario where the developer writes a code and completely abandons it, leaving the code without updates....