yarn audit

Question

yarn audit

AndersDJohnson opened this issue 4 years ago · comments

Running yarn audit reveals this issue. Can you update the version of unified to the latest compatible version 6.2.0, hoping it has a patch?

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ extend                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.2 <3.0.0 || >=3.0.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-plugin-markdown                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint-plugin-markdown > unified > extend                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/996                         │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 877568

Brandon Mills · Answer 1 · Wed Feb 26 2020 14:01:01 GMT+0800 (China Standard Time)

This package depends on unified@^6.1.2, and unified@6.1.2 and unified@6.2.0 both depend on extend^3.0.0. So I think you should be able to upgrade to extend@^3.0.2 (adjusting your lockfile as necessary) while remaining compatible up the dependency chain? For example, I just ran npm install eslint-plugin-markdown in an empty directory, and npm ls extend now shows v3.0.2:

$ npm install eslint-plugin-markdown
npm WARN saveError ENOENT: no such file or directory, open '/private/tmp/test/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/private/tmp/test/package.json'
npm WARN test No description
npm WARN test No repository field.
npm WARN test No README data
npm WARN test No license field.

+ eslint-plugin-markdown@1.0.2
added 38 packages from 28 contributors and audited 43 packages in 1.614s

18 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm ls extend
/private/tmp/test
└─┬ eslint-plugin-markdown@1.0.2
  └─┬ unified@6.2.0
    └── extend@3.0.2

I'll close this for now as it doesn't look like I'll need to do a version bump since everything in the dependency chain is still in a semver-compatible range, but please let me know if I've missed something!