-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
potential security vulnerability via an outdated version of [email protected] > [email protected] #19
Comments
Unfortunately, bumping Changes from PRs browserify/static-eval#18 and browserify/static-module#38 appear to be incompatible with From my findings, For example, with // cmd.js
var fs = require('fs')
var sm = require('./lib/cwise-transform')()
process.stdin.pipe(sm).pipe(process.stdout) // works.js
var cwise = require('cwise')
var f = cwise({
args: ["array"],
body: function() {
return 'yo'
},
}) // fails.js
var cwise = require('cwise')
var f = cwise({
args: ["array"],
body: function(a) {
++a
},
}) then,
that is, it correctly removes the |
Thanks for looking at it. I tried to update the dependency but the tests are failing (I am on windows and not familiar with these libs). |
+1 |
@alhugot I believe your patch in https://github.com/alhugot/cwise/commit/39b4ad8a1c67d94903bdc139e59bc764e59bad6f defeats the purpose of browserify suite where cwise is used as a transform. To double-check, would you mind comparing the output of |
@etpinard I am sorry I don't know much about browserify. Do you mean changing |
ok I see, I have look at https://github.com/scijs/ndarray-fill module which use cwise and indeed the transform is wrong, as in your example. Sorry a bit slow on this one. |
No worries. Thanks for the help! |
+1 |
@etpinard |
@hakandilek thanks for the headsup, but |
What's the reason? Check out my linked pull request. I've integrated Travis
ci also for the actual nodejs versions.
…On Wed, 30 May 2018, 17:44 Étienne Tétreault-Pinard, < ***@***.***> wrote:
@hakandilek <https://github.com/hakandilek> thanks for the headsup, but npm
test fails for me with ***@***.***
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#19 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABBdWf3KaUh7_bwyNR-hvHwpcEnxsTS3ks5t3r5jgaJpZM4SMRVS>
.
|
Ha. Sorry I missed that. Thanks for the PR. |
any update on this issue ? |
potential security vulnerability +1 |
Hello! Is there any update on this one...Is this #21 successfully merged? Thank you! |
Hi,
this is perhaps not the place to report it, please feel free to close the issue, but the version of static-module specified in the package.json is affected by this security vulnerability:
https://nodesecurity.io/advisories/548
[email protected] > [email protected] > [email protected]
I have tried to update static-module to version ^2.0.0 which fixes the issue:
browserify/static-module#34
...but the tests are failing. I do no know this code enough to fix it, any help is welcome.
This is part of making plotly.js pass security tests:
plotly/plotly.js#2386
Would also be good to have a security badge with:
snyk: https://github.com/snyk/snyk#badge
or
nsp: see https://github.com/dwyl/repo-badges
Thx
Alex
The text was updated successfully, but these errors were encountered: