Request dependency <=2.68 opens to potential memory exposure vulnerability #14961
Comments
|
Hm...I see different packages affecting as:
Although these are devDependencies, so only affecting the people working on the Angular codebase. |
|
yes i agree; but when the relevant developers are impacted all the community is impacted. |
|
I'm updating the Karma-related dependencies in #14952, I'll add other related packages in a separate commit as well. I doubt there's any actual big vulnerability here, though; we don't use request ourselves but via various packages and only to build stuff or connect to Sauce Labs so there may very well not be any way to exploit that. |
Those packages depend on a vulnerable request version. Ref gh-14961
|
for what relates bower i've provided a patch: evilaliv3/bower@5a348e0 the ticket to be monitored is: bower/bower#2336 |
|
Ah, so it's not fixed in Bower, I just haven't noticed it as it now bundles its all dependencies itself under |
The previous version depended on a vulnerable request version. Ref gh-14961
The previous version depended on a vulnerable request version. Ref angulargh-14961
The previous version depended on a vulnerable request version. Ref angulargh-14961
The previous version depended on a vulnerable request version. Ref angulargh-14961
The previous version depended on a vulnerable request version. Ref angulargh-14961
The previous version depended on a vulnerable request version. Ref gh-14961
The previous version depended on a vulnerable request version. Ref gh-14961
|
I've updated some packages; This is the current state on |
|
great @mgol for what relates bower they ignored the ticket. |
|
Here are the links for keeping track of the fix of karma-sauce-launcher: |
|
karma-sauce-launcher has fixed the dep: https://github.com/karma-runner/karma-sauce-launcher/releases/tag/v1.2.0, now we just need to update bower will fix itself once we switch to yarn aliases |
…ages Bower was used to install multiple versions of jQuery which is now handled using Yarn aliases. The remaining two packages, closure-compiler and ng-closure-compiler were installed from zip files which is not supported by Yarn (see yarnpkg/yarn#1483); the first of them was switched to the google-closure-compiler package and the latter was checked in to the repository. Fixes angular#16268 Fixes angular#14961 Ref yarnpkg/yarn#1483
…ages Bower was used to install multiple versions of jQuery which is now handled using Yarn aliases. The remaining two packages, closure-compiler and ng-closure-compiler were installed from zip files which is not supported by Yarn (see yarnpkg/yarn#1483); the first of them was switched to the google-closure-compiler package and the latter was checked in to the repository. Fixes angular#16268 Fixes angular#14961 Ref yarnpkg/yarn#1483
…ages Bower was used to install multiple versions of jQuery which is now handled using Yarn aliases. The remaining two packages, closure-compiler and ng-closure-compiler were installed from zip files which is not supported by Yarn (see yarnpkg/yarn#1483); the first of them exists on npm as the google-closure-compiler but only versions newer than we used are published and they don't work with ng-closure-compiler so - instead - both were checked in to the repository. Fixes angular#16268 Fixes angular#14961 Ref yarnpkg/yarn#1483
…ages Bower was used to install multiple versions of jQuery which is now handled using Yarn aliases. The remaining two packages, closure-compiler and ng-closure-compiler were installed from zip files which is not supported by Yarn (see yarnpkg/yarn#1483); the first of them exists on npm as the google-closure-compiler but only versions newer than we used are published and they don't work with ng-closure-compiler so - instead - both were checked in to the repository. Fixes angular#16268 Fixes angular#14961 Ref yarnpkg/yarn#1483
…ages Bower was used to install multiple versions of jQuery which is now handled using Yarn aliases. The remaining two packages, closure-compiler and ng-closure-compiler were installed from zip files which is not supported by Yarn (see yarnpkg/yarn#1483); the first of them exists on npm as the google-closure-compiler but only versions newer than we used are published and they don't work with ng-closure-compiler so - instead - both were checked in to the repository. Fixes angular#16268 Fixes angular#14961 Ref yarnpkg/yarn#1483
…ages Bower was used to install multiple versions of jQuery which is now handled using Yarn aliases. The remaining two packages, closure-compiler and ng-closure-compiler were installed from zip files which is not supported by Yarn (see yarnpkg/yarn#1483); the first of them exists on npm as the google-closure-compiler but only versions newer than we used are published and they don't work with ng-closure-compiler so - instead - both were checked in to the repository. Fixes #16268 Fixes #14961 Ref yarnpkg/yarn#1483
Do you want to request a feature or report a bug?
This ticket is to report a a potential security vulnerability caused by the request dependency.
What is the current behavior?
Various of the dependencies used by angular.js make use of a vulnerable version of the request package (<2.68) that allow potential memory exposure.
Involved dependencies are: insight, fsevents
details:
In order to address a short term fix it is suggested to modify the current npm shrinkwrap to use request==2.74.0
The text was updated successfully, but these errors were encountered: