Update bin-build dependency
mika-s opened this issue · comments
Hi,
This might have been posted somewhere else, but I'll post here just to be sure.
snyk is complaining about a vulnerability in tunnel-agent that jpegtran-bin is dependent on. The issue was fixed in tunnel-agent, but jpegtran-bin still seems to use an old version. caw, download and bin-build seems to have been updated.
snyk output:
✗ Medium severity vulnerability found on tunnel-agent@0.4.3
- desc: Uninitialized Memory Exposure
- info: https://snyk.io/vuln/npm:tunnel-agent:20170305
- from: x@0.1.0 > gulp-imagemin@3.4.0 > imagemin-jpegtran@5.0.2 > jpegtran-bin@3.2.0 > bin-build@2.2.0 > download@4.4.3 > caw@1.2.0 > tunnel-agent@0.4.3
No direct dependency upgrade can address this issue.
Run `snyk wizard` to explore remediation options.
✗ Medium severity vulnerability found on tunnel-agent@0.4.3
- desc: Uninitialized Memory Exposure
- info: https://snyk.io/vuln/npm:tunnel-agent:20170305
- from: x@0.1.0 > gulp-imagemin@3.4.0 > imagemin-jpegtran@5.0.2 > jpegtran-bin@3.2.0 > bin-wrapper@3.0.2 > download@4.4.3 > caw@1.2.0 > tunnel-agent@0.4.3
No direct dependency upgrade can address this issue.
Run `snyk wizard` to explore remediation options.
✗ Medium severity vulnerability found on tunnel-agent@0.4.3
- desc: Uninitialized Memory Exposure
- info: https://snyk.io/vuln/npm:tunnel-agent:20170305
- from: x@0.1.0 > gulp-imagemin@3.4.0 > imagemin-gifsicle@5.2.0 > gifsicle@3.0.4 > bin-wrapper@3.0.2 > download@4.4.3 > caw@1.2.0 > tunnel-agent@0.4.3
No direct dependency upgrade can address this issue.
Run `snyk wizard` to explore remediation options.
✗ Medium severity vulnerability found on tunnel-agent@0.4.3
- desc: Uninitialized Memory Exposure
- info: https://snyk.io/vuln/npm:tunnel-agent:20170305
- from: x@0.1.0 > gulp-imagemin@3.4.0 > imagemin-gifsicle@5.2.0 > gifsicle@3.0.4 > bin-build@2.2.0 > download@4.4.3 > caw@1.2.0 > tunnel-agent@0.4.3
No direct dependency upgrade can address this issue.
Run `snyk wizard` to explore remediation options.
✗ Medium severity vulnerability found on tunnel-agent@0.4.3
- desc: Uninitialized Memory Exposure
- info: https://snyk.io/vuln/npm:tunnel-agent:20170305
- from: x@0.1.0 > gulp-imagemin@3.4.0 > imagemin-optipng@5.2.1 > optipng-bin@3.1.4 > bin-build@2.2.0 > download@4.4.3 > caw@1.2.0 > tunnel-agent@0.4.3
No direct dependency upgrade can address this issue.
Run `snyk wizard` to explore remediation options.
✗ Medium severity vulnerability found on tunnel-agent@0.4.3
- desc: Uninitialized Memory Exposure
- info: https://snyk.io/vuln/npm:tunnel-agent:20170305
- from: x@0.1.0 > gulp-imagemin@3.4.0 > imagemin-optipng@5.2.1 > optipng-bin@3.1.4 > bin-wrapper@3.0.2 > download@4.4.3 > caw@1.2.0 > tunnel-agent@0.4.3
No direct dependency upgrade can address this issue.
Run `snyk wizard` to explore remediation options.
Only the top one is relevant for this issue, but the others are also relevant for imagemin so I included that too. I also know that this can't be exploited in production, but I might as well report it.
There's also a vulnerability in braces, which jpegtran-bin is dependent on as well:
? Low severity vuln found in braces@1.8.5, introduced via imagemin-jpegtran@5.0.2
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:braces:20180219
- from: imagemin-jpegtran@5.0.2 > jpegtran-bin@3.2.0 > bin-build@2.2.0 > decompress@3.0.0 > vinyl-fs@2.4.4 > glob-stream@5.3.5 > micromatch@2.3.11 > braces@1.8.5
Updating the bin-build dependency will fix this too.
Updating bin-build would also fix the warning about deprecated gulp-util that I'm getting due to an old downstream package.
@kevva could you accomplish this for us? Once you do, I'll bubble the issue up to the other packages I'm using that depend on this.
Fixed with #91.