Angular.js: Request dependency <=2.68 opens to potential memory exposure vulnerability
Do you want to request a _feature_ or report a _bug_?
This ticket is to report a a potential security vulnerability caused by the request dependency.
What is the current behavior?
Various of the dependencies used by angular.js make use of a vulnerable version of the request package (<2.68) that allow potential memory exposure.
Involved dependencies are: insight, fsevents
details:
- https://snyk.io/vuln/npm:request:20160119
- https://github.com/yeoman/insight/pull/48
- https://github.com/strongloop/fsevents/issues/145
In order to address a short term fix it is suggested to modify the current npm shrinkwrap to use request==2.74.0
evilaliv3
All 9 comments
Hm...I see different packages affecting as:
bower(directly and viabower-registry-client)dgeni-packages(viawinston)karma-sauce-launcher(viawd)
Although these are devDependencies, so only affecting the people working on the Angular codebase.
gkalpak
on 28 Jul 2016
yes i agree; but when the relevant developers are impacted all the community is impacted.
evilaliv3
on 28 Jul 2016
I'm updating the Karma-related dependencies in #14952, I'll add other related packages in a separate commit as well.
I doubt there's any actual big vulnerability here, though; we don't use request ourselves but via various packages and only to build stuff or connect to Sauce Labs so there may very well not be any way to exploit that.
mgol
on 29 Jul 2016
for what relates bower i've provided a patch: https://github.com/evilaliv3/bower/commit/5a348e075f512850c172a3e106b23c02432f73d9
the ticket to be monitored is: https://github.com/bower/bower/issues/2336
evilaliv3
on 29 Jul 2016
Ah, so it's not fixed in Bower, I just haven't noticed it as it now bundles its all dependencies itself under bower/lib/node_modules; pretty weird. TBH I'd just try to get rid of Bower in favor of npm but, unfortunately, we're relying on package aliases which is not and will not be supported by npm.
mgol
on 29 Jul 2016
I've updated some packages; karma-sauce-launcher & bower still depend on the vulnerable request in their latest versions.
This is the current state on master:
$ npm ls request
angularjs@ ...
โโโฌ [email protected]
โ โโโฌ [email protected]
โ โ โโโ [email protected]
โ โโโ [email protected]
โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโ [email protected]
โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโ [email protected]
great @mgol
for what relates bower they ignored the ticket.
for what relates to karma-sauce-launcher instead i forgot to open it, i'm going to do it now.
evilaliv3
on 6 Aug 2016
Here are the links for keeping track of the fix of karma-sauce-launcher:
evilaliv3
on 7 Aug 2016
karma-sauce-launcher has fixed the dep: https://github.com/karma-runner/karma-sauce-launcher/releases/tag/v1.2.0, now we just need to update
bower will fix itself once we switch to yarn aliases
Narretz
on 11 Oct 2017
Related issues
butchpeters
ยท
3Comments
jtorbicki
ยท
3Comments
awerlang
ยท
3Comments
WesleyKapow
ยท
3Comments
visnup
ยท
3Comments
Most helpful comment
I'm updating the Karma-related dependencies in #14952, I'll add other related packages in a separate commit as well.
I doubt there's any actual big vulnerability here, though; we don't use request ourselves but via various packages and only to build stuff or connect to Sauce Labs so there may very well not be any way to exploit that.