This repository was archived by the owner on Jan 26, 2019. It is now read-only.
This repository was archived by the owner on Jan 26, 2019. It is now read-only.
npm audit security report - package: deep-extend #319
Open
Description
For the following npm vulnerability audit report, is our only option to wait for the deep-extend package to get fixed/updated?
Note: When I upgraded to [email protected], the number of deep-extend vulnerabilities went from 11 down to 9 (while all the randomatic vulnerabilities resolved and went away).
The below audit item is the 2nd of the 9 remaining vulnerabilities (post the 3.0.0 upgrade)... all of the 9 reference paths are noted below this one example audit item.
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts-ts [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Path │ react-scripts-ts > fork-ts-checker-webpack-plugin > chokidar │
│ │ > fsevents > node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > jest > jest-cli > jest-haste-map > sane > │
│ │ fsevents > node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > jest > jest-cli > jest-runner > │
│ │ jest-haste-map > sane > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > jest > jest-cli > jest-runner > │
│ │ jest-runtime > jest-haste-map > sane > fsevents > │
│ │ node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > jest > jest-cli > jest-runtime > │
│ │ jest-haste-map > sane > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > ts-jest > cpx > chokidar > fsevents > │
│ │ node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > webpack > watchpack > chokidar > fsevents │
│ │ > node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-scripts-ts > webpack-dev-server > chokidar > fsevents │
│ │ > node-pre-gyp > rc > deep-extend │
└───────────────┴──────────────────────────────────────────────────────────────┘
Insights welcome! 😄
Thanks!!
Metadata
Metadata
Assignees
Labels
No labels