High vulnerability

[broerse]

npm audit Gives me one high vulnerability coming from pouchdb-authentication.

High            Open Redirect
Package         url-parse
Patched in      >=1.4.3
Dependency of   pouchdb-authentication
Path            pouchdb-authentication > url-parse
More info       https://nodesecurity.io/advisories/678

[ptitjes]

Later this week, I will update the dependencies to fix the many vulnerabilities.

[psolom]

Looking forward

[dbugshe2]

Hi, @ptitjes just checking, are we still on track for this fix. I'm really looking forward to this fix. cheers

[ptitjes]

I tried to fix it some days ago. However the npm server was outputing errors while auditing. I'd be grateful if one of you would like to make a PR.

[dbugshe2]

Thanks for clarifying. I'll give a try too and send a PR if it sticks.

[stanlemon]

Is it possible to get this pushed up to npm?

[ptitjes]

@stanlemon Yep, I'll do a release this weekend.

[Didericis]

UPDATE: I thought this fix was released, but looks like it hasn't made it onto NPM yet. The latest version as of this writing (v1.1.3) doesn't include the fix from this PR. Adding the latest commit directly from github to my package.json didn't solve the issue, either, as the lib isn't included in the package.json. I found a fork (https://github.com/silverbackdan/pouchdb-authentication) that allows for installing the latest version. Below worked for me:

"pouchdb-authentication": "git+https://github.com/silverbackdan/pouchdb-authentication.git#c6e903693c1f"

---

I'm still getting a security warning, despite the update: my package-lock.json thinks pouchdb-authentication requires url-parse version 1.2.0. This is what the pouchdb-authentication section of my package-lock.json looks like:

    "pouchdb-authentication": {
      "version": "1.1.3",
      "resolved": "https://registry.npmjs.org/pouchdb-authentication/-/pouchdb-authentication-1.1.3.tgz",
      "integrity": "sha512-xzxmqAK6+rtJlVcFwebLBDlY0dDD5aqEb+bT0xStFp3s6HPC1QEa9C1NzkBScNBb8UG2BygTrVRMJzJLTR2LrA==",
      "requires": {
        "inherits": "2.0.3",
        "pouchdb-ajax": "~6.4.0",
        "pouchdb-binary-utils": "~6.4.0",
        "pouchdb-promise": "~6.4.0",
        "pouchdb-utils": "~6.4.0",
        "url-join": "4.0.0",
        "url-parse": "1.2.0"
      }
    },

[SinanGabel]

Some of the other libraries - and the code using these - probably also need an upgrade/change e.g.
pouchdb-ajax
pouchdb-promise
pouchdb-utils

[uaru]

Maybe this is because the version number in package.json in master needs to be bumped to 1.1.4? Because now it lists dependency on url-parse 1.4.3, but the version of pouchdb is still 1.1.3, and that release still requires 1.2.0.

Of course there is workaround of installing from GitHub, but it should go to NPM...