Comments (14)
This still affects version 3.0.0 as well
from node-foreman.
@rmg How can we fix the npm audit
error?
from node-foreman.
I just installed node-foreman and ran npm audit
and I got no open advisories. It looks like https://www.npmjs.com/advisories/645 now notes "Upgrade to 3.0.1" is the fix @rmg so maybe this can just be closed?
from node-foreman.
Any updates to this?
from node-foreman.
I'm about to work on a fix for this, but in the mean time I'd like to list some of the mitigating factors involved so users can decide if they are affected by this or not.
This only affects the --forward
feature, which is a development-time convenience feature for running a local http proxy that you can configure your browser to use.
If you're running this proxy in a publicly accessible manner then this vulnerability is probably the least of your concerns.
from node-foreman.
v3.0.1 has been published with a fix.
from node-foreman.
I'm at a loss as to how to update the vulnerability DBs
- https://snyk.io/vuln/npm:foreman:20180429 isn't in https://github.com/snyk/vulnerabilitydb so there's nothing to open a pull request against
- https://hackerone.com/reports/320586 doesn't appear to have an mechanism for reporting updates
It would also be nice to update the update the severity since "high" seems a little misleading considering you need to do something already considered dangerous (run a dev tool as a public open proxy) in order to even expose this.
from node-foreman.
Do you just email [email protected] or [email protected] ?
from node-foreman.
Snyk and HackerOne are not affiliated with npm/nsp so I'm not sure what they would be able to do about it.
from node-foreman.
This stills affects version 3.0.1 as well, here is "npm audit" report extract:
from node-foreman.
@fmagaldea that advisory is incorrect.
from node-foreman.
Any updates to this ? I get the vulnerability is fixed but it's still showing the advisory
from node-foreman.
I've sent an email to [email protected] to ask them to update the record.
from node-foreman.
When you do get that record updated, would you bump the version to 3.0.2 to make sure our random internal processes see it as a new artifact?
from node-foreman.
Related Issues (20)
- Unable to restart nodemon when started using `nf start` HOT 2
- Question - Is it possible to override a single environment var? HOT 1
- Alias in .bashrc not working in Procfiles HOT 1
- Using .env parameters inside Procfile HOT 2
- How to handle nf run child process options HOT 2
- Handling release entry in procfile HOT 7
- npm reported sever vulnerability in nf HOT 1
- Profile parsing fails if tuple is not set or has no items HOT 1
- Redis exits with code 1 or null, node-foreman does not appear to wait as foreman does HOT 1
- Spuriously escapes some characters on windows HOT 1
- library usage of `node-foreman`? HOT 1
- Error when starting foreman: Cannot read property '1' HOT 3
- Sequential tasks HOT 3
- How to use different shell to /bin/sh HOT 4
- all processes are killed if one process exits HOT 5
- Processes don't always exit on Ctrl-C (SIGINT)
- How to run nf run 'node --expose-gc' app.js
- .env parsing does not allow for BASH references like other dotenv implementations
- Mac now defaults to using port 5000
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-foreman.