bl package is vulnerable
taku0 opened this issue · comments
taku0 commented
npm audit
reports the following vulnerability.
Moderate | Memory Exposure |
Package | bl |
Patched in | >=0.9.5 <1.0.0 || >=1.0.1 |
Dependency of | ssb-invite |
Path | ssb-invite > level-sublevel > levelup > bl |
More info | https://npmjs.com/advisories/596 |
level-sublevel
is no longer maintained. It uses an old version of levelup
~0.19.0
where the latest version of levelup
is 4.3.2
.
It might be replaced with subleveldown
, but I don't sure.
Dominic Tarr commented
This is a false positive. It wouldn't actually be possible to steal secrets using this. You'd need to new Buffer(user_value)
but ssb-invite controls the value on the server side.