Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-5223

[Skyscanner] JS-Doc Latest Release Tag Is Not The Actual Current Release And Introduces Vulnerable Package

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.13.0
    • Fix Version/s: 0.13.0, 0.14.0, 1.0
    • Component/s: None
    • Labels:
    • Environment:

      Production

      Description

      We are seeing a warning on builds of out internal distributed JS tracing solution.

      Our core client tracer is Lightstep which introduces thrift (https://github.com/lightstep/lightstep-tracer-javascript/blob/master/package.json#L28)

      Our vulnerability catcher - SNYK - is blocking builds due to picking up an issue with the marked (https://www.npmjs.com/package/marked) lib introduced through js-doc (https://www.npmjs.com/package/jsdoc) which is used in thrift (https://github.com/apache/thrift/blob/0.13.0/package.json#L52).

      We have noticed that js-doc is using the Latest Release version, which in fact is pointing to an older release version; js-doc is at 3.5.5 (2017) while the actual latest is 3.6.4.

      The vulnerability in the marked lib is described here: https://snyk.io/vuln/SNYK-JS-MARKED-174116

      Since this is a dev dependency and, a MEDIUM SEVERITY score, it would be cool if we had the dependency (js-doc) to take advantage of the fixes therein.

      We can then notify Lightstep to make an update.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              eiathom Ian Thompson
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: