Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Node security platform reporting vulnerability in lasso > send > mime dependency #265

Open
gunjam opened this issue Feb 12, 2018 · 1 comment

Comments

@gunjam
Copy link

gunjam commented Feb 12, 2018

Running nsp check on my project (which uses lasso) I get the following output:

┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Regular Expression Denial of Service                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ mime                                                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 7.5 (High)                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 1.3.4                                                              │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ < 1.4.1 || > 2.0.0 < 2.0.3                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ >= 1.4.1 < 2.0.0 || >= 2.0.3                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ [email protected] > [email protected] > [email protected] > [email protected]      │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/535                             │
└────────────┴────────────────────────────────────────────────────────────────────┘

Is it possible to update to a later version of send which in turn uses a non vulnerable version of mime? The latest version of send, for example, uses mime 1.4.1 which should be fine.

While I'm sure this probably isn't cause any real issues, it is causing concern for certain people in my office 😅

Ta.

@joshgarde
Copy link

Bump; after updating node & npm, npm is now yelling at me too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants