Uploaded image for project: 'Apache Avro'
  1. Apache Avro
  2. AVRO-2758

Bump istanbul to 0.4.5

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.9.2
    • Fix Version/s: 1.10.0
    • Component/s: js
    • Labels:
      None

      Description

      As reported in AVRO-2642, istanbul 0.4.4 or earlier has some vulnerabilities as follows:

      sekikn@0327d61710c0:~/avro/lang/js$ grep istanbul package.json 
          "cover": "istanbul cover _mocha -- -f interop -i",
          "istanbul": "^0.3.19",
      sekikn@0327d61710c0:~/avro/lang/js$ npm i
      audited 361 packages in 1.044s
      
      4 packages are looking for funding
        run `npm fund` for details
      
      found 3 vulnerabilities (1 moderate, 2 high)
        run `npm audit fix` to fix them, or `npm audit` for details
      sekikn@0327d61710c0:~/avro/lang/js$ npm audit
                                                                                      
                             === npm audit security report ===                        
                                                                                      
      ┌──────────────────────────────────────────────────────────────────────────────┐
      │                                Manual Review                                 │
      │            Some vulnerabilities require your attention to resolve            │
      │                                                                              │
      │         Visit https://go.npm.me/audit-guide for additional guidance          │
      └──────────────────────────────────────────────────────────────────────────────┘
      ┌───────────────┬──────────────────────────────────────────────────────────────┐
      │ High          │ Regular Expression Denial of Service                         │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Package       │ minimatch                                                    │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Patched in    │ >=3.0.2                                                      │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Dependency of │ istanbul [dev]                                               │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Path          │ istanbul > fileset > minimatch                               │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ More info     │ https://npmjs.com/advisories/118                             │
      └───────────────┴──────────────────────────────────────────────────────────────┘
      ┌───────────────┬──────────────────────────────────────────────────────────────┐
      │ Moderate      │ Denial of Service                                            │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Package       │ js-yaml                                                      │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Patched in    │ >=3.13.0                                                     │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Dependency of │ istanbul [dev]                                               │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Path          │ istanbul > js-yaml                                           │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ More info     │ https://npmjs.com/advisories/788                             │
      └───────────────┴──────────────────────────────────────────────────────────────┘
      ┌───────────────┬──────────────────────────────────────────────────────────────┐
      │ High          │ Code Injection                                               │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Package       │ js-yaml                                                      │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Patched in    │ >=3.13.1                                                     │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Dependency of │ istanbul [dev]                                               │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ Path          │ istanbul > js-yaml                                           │
      ├───────────────┼──────────────────────────────────────────────────────────────┤
      │ More info     │ https://npmjs.com/advisories/813                             │
      └───────────────┴──────────────────────────────────────────────────────────────┘
      found 3 vulnerabilities (1 moderate, 2 high) in 361 scanned packages
        3 vulnerabilities require manual review. See the full report for details.
      

      As that issue said, we have to replace istanbul with an alternative in the future, but at least we should upgrade it to avoid these vulnerabilities for now.

        Attachments

          Activity

            People

            • Assignee:
              sekikn Kengo Seki
              Reporter:
              sekikn Kengo Seki
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: