-
-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated argparse package reference #312
Conversation
Version of argparse being referenced is very old and has a security vulnerability via an old reference to underscore. argparse has been using lodash for a very long time which alleviates the vulnerability. https://app.snyk.io/vuln/npm:underscore.string:20170908
Version of argparse being referenced is very old and has a security vulnerability via an old reference to underscore. argparse has been using lodash for a very long time which alleviates the vulnerability. https://app.snyk.io/vuln/npm:underscore.string:20170908
Thank you for opening this PR 🙌 here's hoping it gets merged and released soon :) |
More detail is necessary describing how exactly this vulnerability would effect this library. Please describe how anyone would use this exploit. A pull requet to replace argparse with a different library would be much preferred. Otherwise this is a seriously low priority as it's a "vulnerability" in the CLI. |
@jonschlinkert I'm a little confused as to how it can be dismissed as low priority when NPM itself is marking it as moderate. https://nodesecurity.io/advisories/745 Is there not a responsibility to mitigate these kinds of vulnerabilities with or without a reproduction or 0-day use-case, especially when the task is as simple as updating a dependency? |
If you want to continue the dialog in a thoughtful, productive way, I'd be happy to listen. If, however, you only want to troll the issue by arguing from authority, it's not going to help, as I will continue to look at facts, and not react by emotion. |
This means that if you pass a long string (50k characters?), that might look like a date, to the remarkable cli, your experience might be degraded by about 2 seconds. I don't see why anyone would do this to themselves. Edit: Jon answered above while I was typing this out. |
Then again, people use Yeoman and Inquirer, which do the same thing but without the vulnerability ;) |
the author of markdown-toc also owns remarkable, and has a policy of not updating for reported security issues. see: ttps://github.com/jonschlinkert/remarkable/pull/312
the author of markdown-toc also owns remarkable, and has a policy of not updating for reported security issues. see: jonschlinkert/remarkable#312
* fix: html-webpack-plugin child compiler. fixes #55 * chore: remove markdown-toc the author of markdown-toc also owns remarkable, and has a policy of not updating for reported security issues. see: jonschlinkert/remarkable#312
We will merge this in, but FWIW, argparse should have released a patch to fix this. An issue should be created with that library, it shouldn't require a bump here. |
cc: #310 |
Version of argparse being referenced is very old and has a security vulnerability via an old reference to underscore. argparse has been using lodash for a very long time which alleviates the vulnerability.
https://app.snyk.io/vuln/npm:underscore.string:20170908