bl package is vulnerable
taku0 opened this issue · comments
npm audit reports the following vulnerability.
| Moderate | Memory Exposure |
| Package | bl |
| Patched in | >=0.9.5 <1.0.0 || >=1.0.1 |
| Dependency of | ssb-invite |
| Path | ssb-invite > level-sublevel > levelup > bl |
| More info | https://npmjs.com/advisories/596 |
level-sublevel is no longer maintained. It uses an old version of levelup ~0.19.0 where the latest version of levelup is 4.3.2.
It might be replaced with subleveldown, but I don't sure.
This is a false positive. It wouldn't actually be possible to steal secrets using this. You'd need to new Buffer(user_value) but ssb-invite controls the value on the server side.