Created
May 28, 2019 08:11
-
-
Save ar1em/29b00d6bed7d45890b4e420cc3af439c to your computer and use it in GitHub Desktop.
yarn audit --verbose
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Audit Request: { | |
"name": "yarn-audit-bug", | |
"version": "0.1.0", | |
"install": [], | |
"remove": [], | |
"metadata": {}, | |
"requires": { | |
"lodash": "1.2.0", | |
"hoek": "2.16.3" | |
}, | |
"dependencies": { | |
"hoek": { | |
"version": "2.16.3", | |
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=", | |
"requires": {}, | |
"dependencies": {}, | |
"dev": false | |
}, | |
"lodash": { | |
"version": "1.2.0", | |
"integrity": "sha1-XxajMYqzv2gMe0G1u2Mn6eEIbsQ=", | |
"requires": {}, | |
"dependencies": {}, | |
"dev": false | |
} | |
}, | |
"dev": false | |
} | |
verbose 0.327 Performing "POST" request to "https://registry.yarnpkg.com/-/npm/v1/security/audits". | |
verbose 0.945 Request "https://registry.yarnpkg.com/-/npm/v1/security/audits" finished with status code 200. | |
verbose 0.946 Audit Response: { | |
"actions": [ | |
{ | |
"action": "install", | |
"module": "lodash", | |
"target": "4.17.11", | |
"isMajor": true, | |
"resolves": [ | |
{ | |
"id": 782, | |
"path": "lodash", | |
"dev": false, | |
"optional": false, | |
"bundled": false | |
}, | |
{ | |
"id": 577, | |
"path": "lodash", | |
"dev": false, | |
"optional": false, | |
"bundled": false | |
} | |
] | |
}, | |
{ | |
"action": "review", | |
"module": "hoek", | |
"resolves": [ | |
{ | |
"id": 566, | |
"path": "hoek", | |
"dev": false, | |
"optional": false, | |
"bundled": false | |
} | |
] | |
} | |
], | |
"advisories": { | |
"566": { | |
"findings": [ | |
{ | |
"version": "2.16.3", | |
"paths": [ | |
"hoek" | |
], | |
"dev": false, | |
"optional": false, | |
"bundled": false | |
} | |
], | |
"id": 566, | |
"created": "2018-04-20T21:25:58.421Z", | |
"updated": "2019-02-14T16:00:33.922Z", | |
"deleted": null, | |
"title": "Prototype Pollution", | |
"found_by": { | |
"name": "HoLyVieR" | |
}, | |
"reported_by": { | |
"name": "HoLyVieR" | |
}, | |
"module_name": "hoek", | |
"cves": [], | |
"vulnerable_versions": "<= 4.2.0 || >= 5.0.0 < 5.0.3", | |
"patched_versions": "> 4.2.0 < 5.0.0 || >= 5.0.3", | |
"overview": "Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.", | |
"recommendation": "Update to version 4.2.1, 5.0.3 or later.", | |
"references": "", | |
"access": "public", | |
"severity": "moderate", | |
"cwe": "CWE-471", | |
"metadata": { | |
"module_type": "", | |
"exploitability": 5, | |
"affected_components": "" | |
}, | |
"url": "https://npmjs.com/advisories/566" | |
}, | |
"577": { | |
"findings": [ | |
{ | |
"version": "1.2.0", | |
"paths": [ | |
"lodash" | |
], | |
"dev": false, | |
"optional": false, | |
"bundled": false | |
} | |
], | |
"id": 577, | |
"created": "2018-04-24T14:27:02.796Z", | |
"updated": "2018-04-24T14:27:13.049Z", | |
"deleted": null, | |
"title": "Prototype Pollution", | |
"found_by": { | |
"name": "Olivier Arteau (HoLyVieR)" | |
}, | |
"reported_by": { | |
"name": "Olivier Arteau (HoLyVieR)" | |
}, | |
"module_name": "lodash", | |
"cves": [ | |
"CVE-2018-3721" | |
], | |
"vulnerable_versions": "<4.17.5", | |
"patched_versions": ">=4.17.5", | |
"overview": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n", | |
"recommendation": "Update to version 4.17.5 or later.", | |
"references": "- [HackerOne Report](https://hackerone.com/reports/310443)", | |
"access": "public", | |
"severity": "low", | |
"cwe": "CWE-471", | |
"metadata": { | |
"module_type": "", | |
"exploitability": 1, | |
"affected_components": "" | |
}, | |
"url": "https://npmjs.com/advisories/577" | |
}, | |
"782": { | |
"findings": [ | |
{ | |
"version": "1.2.0", | |
"paths": [ | |
"lodash" | |
], | |
"dev": false, | |
"optional": false, | |
"bundled": false | |
} | |
], | |
"id": 782, | |
"created": "2019-02-13T16:16:53.770Z", | |
"updated": "2019-02-13T16:16:53.770Z", | |
"deleted": null, | |
"title": "Prototype Pollution", | |
"found_by": { | |
"link": "", | |
"name": "asgerf" | |
}, | |
"reported_by": { | |
"link": "", | |
"name": "asgerf" | |
}, | |
"module_name": "lodash", | |
"cves": [ | |
"CVE-2018-16487" | |
], | |
"vulnerable_versions": "<4.17.11", | |
"patched_versions": ">=4.17.11", | |
"overview": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n", | |
"recommendation": "Update to version 4.17.11 or later.", | |
"references": "- [HackerOne Report](https://hackerone.com/reports/380873)", | |
"access": "public", | |
"severity": "moderate", | |
"cwe": "CWE-471", | |
"metadata": { | |
"module_type": "", | |
"exploitability": 3, | |
"affected_components": "" | |
}, | |
"url": "https://npmjs.com/advisories/782" | |
} | |
}, | |
"muted": [], | |
"metadata": { | |
"vulnerabilities": { | |
"info": 0, | |
"low": 1, | |
"moderate": 2, | |
"high": 0, | |
"critical": 0 | |
}, | |
"dependencies": 2, | |
"devDependencies": 0, | |
"optionalDependencies": 0, | |
"totalDependencies": 2 | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment