Comments (11)
markberryms
commented on June 8, 2024
1
I think the issue with the template may have arisen because I pressed the "new issue" button when I was not logged in. I was then redirected via an authentication mechanism, which maybe didn't end up at quite the same destination as I would have reached had I started off being logged in.
from retire.js.
markberryms
commented on June 8, 2024
1
Sorry to reopen, but having tested this, I don't think this change is sufficient.
Although you updated package-lock.json, that's not a file you should be changing manually - you should only be committing it when it has been updated after you make changes to package.json, and rerun npm install.
Any project that depends on retire still gets the vulnerable version of vm2, because it uses your unchanged package.json to work out the dependencies. At the moment, I don't think there is an available proxy-agent version that you can specify in package.json that will fix this.
from retire.js.
eoftedal
commented on June 8, 2024
Did you delete the template or did the issue turn up like this?
from retire.js.
markberryms
commented on June 8, 2024
I was presented with a blank issue to fill in - no template appeared.
from retire.js.
eoftedal
commented on June 8, 2024
I am asking because there is no version number in this bug report, and vm2 was bumped to 3.9.15 in 37c4841#diff-fe08a25452e458b30a1a03997ba261f52747279013dea03225131aee67a56d2cR3116
from retire.js.
markberryms
commented on June 8, 2024
That sounds like it should fix the issue (though there is actually a 3.9.16 now available).
My apologies for not spotting the version 4.1.1 - that's just a tag, not a release
from retire.js.
eoftedal
commented on June 8, 2024
4.1.1 is released to npm as well. Also fixed in version 3.2.4 46f694c#diff-fe08a25452e458b30a1a03997ba261f52747279013dea03225131aee67a56d2cR2202
from retire.js.
eoftedal
commented on June 8, 2024
Itβs weird you didnt get a template. This is what I see
from retire.js.
eoftedal
commented on June 8, 2024
Oh, and thanks for reporting anyways! π
from retire.js.
eoftedal
commented on June 8, 2024
That's a good point. I did not manually change package-lock.json, but updated it using npm audit fix.
But I think the problem is that pacakge-lock.json is not included in the npm package, so that fix never makes it.
I'll probably have to manual add those dependencies to update them, which is... annoying...
from retire.js.
eoftedal
commented on June 8, 2024
# docker run -w /tmp --entrypoint /bin/sh --rm -it node:alpine -c "npm install retire ; npm audit ; npm ls --depth 10 | grep vm2"
added 66 packages in 2s
1 package is looking for funding
run `npm fund` for details
npm notice
npm notice New patch version of npm available! 9.6.3 -> 9.6.4
npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.4
npm notice Run npm install -g [email protected] to update!
npm notice
found 0 vulnerabilities
| | | | `-- [email protected]
Note specifically that npm audit returns found 0 vulnerabilities and that vm2 is on version 3.9.16 which is the latest.
from retire.js.
Related Issues (20)
- Retire not generating correct purl when creating cyclonedx bom
- Can retire generate cyclonedx SBOM for all the js scanned and not just vulnerable js HOT 4
- Can retire generate cyclonedx SBOM with license of library HOT 1
- purl of moment.js is still wrong
- purl generated for few components as part cyclonedx BOM is incorrect HOT 1
- purl for datatables incorrect
- Complete type definitions for npm package HOT 4
- Require Support HOT 9
- Bug in JSZip extractor
- --ignore does not ignore given application subdirectory HOT 3
- --outputformat json flag doesn't seem to work HOT 12
- False Positive of momentjs cve-2022-24785 HOT 4
- Invalid jsrepository.json HOT 2
- wrong package version is being reported for lodash HOT 2
- Upstream code from third party maintained browser plugins HOT 3
- Add Mathjax to the repository HOT 2
- Unable to build Chrome Extension HOT 5
- False positive with axios and version string inside comments in axios-mock-adapter HOT 1
- retire js doesnot detect pdfjs
- retirejs doesnot detect pdfobject.js
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from retire.js.