Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM audit: critical vulnerability #282

Closed
jlaamanen opened this issue May 29, 2018 · 2 comments
Closed

NPM audit: critical vulnerability #282

jlaamanen opened this issue May 29, 2018 · 2 comments

Comments

@jlaamanen
Copy link
Contributor

npm audit reports a critical vulnerability concerning open package. There seems to be no fix available in open, and it's not under active development anymore (last updated 4 years ago) and should be deprecated:
pwnall/node-open#67
pwnall/node-open#68

There is an alternative (actively maintained) package available over here: https://www.npmjs.com/package/opn. A quick search shows that there is one line of code using the open package at the moment, and needs to be changed: https://github.com/mbloch/mapshaper/blob/master/bin/mapshaper-gui#L104
jlaamanen pushed a commit to jlaamanen/mapshaper that referenced this issue May 29, 2018
Changed open package to opn, fixes mbloch#282
b044ff2
jlaamanen added a commit to jlaamanen/mapshaper that referenced this issue May 29, 2018
@jlaamanen
Changed open package to open, fixes mbloch#282
2797370
@jlaamanen jlaamanen mentioned this issue May 29, 2018
Merged
jlaamanen added a commit to jlaamanen/mapshaper that referenced this issue May 29, 2018
@jlaamanen
Changed open package to opn, fixes mbloch#282
a5b64d6
@mbloch
Copy link
Owner

mbloch commented May 29, 2018

Thanks for the PR -- I just merged it. For the record, the reported vulnerability did not apply to mapshaper-gui, because "unsanitized user input" was not being passed to open().

@jlaamanen
Copy link
Contributor Author

Thanks, happy to help! True that there were no real vulnerabilities, but since npm version 6 was released, npm audit is run automatically along with npm install, so in our project this dependency was listed having a critical vulnerability, so it was a bit of a nuisance... :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbloch @jlaamanen