Electron-packager: Transitive dependency mksnapshot has a dependency that has a vulnerability

Created on 30 Jan 2019 · 4Comments · Source: electron/electron-packager

[ ] I have read the contribution documentation for this project.
[X] I agree to follow the code of conduct that this project follows, as appropriate.
[X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

npm audit says that the packager uses a dependency with a vulnerability. Namely,

  High            Arbitrary File Overwrite

  Package         decompress-zip

  Patched in      >=0.2.2 <0.3.0 || >=0.3.2

  Dependency of   electron-packager [dev]

  Path            electron-packager > asar > mksnapshot > decompress-zip

  More info       https://nodesecurity.io/advisories/777

It recommends upgrading the decompress-zip module to version 0.3.2 or higher.

Actually, looking at this now, the update needs to happen in the mksnapshot module, so maybe I'll post there. Or you can change the asar version to one without the vulnerability.

Source

pushkin-

👍1

Most helpful comment

The Electron maintainers have decided to drop the dependency on node-mksnapshot, see https://github.com/electron/asar/pull/165

malept on 15 Feb 2019

👍2

All 4 comments

👋 Thanks for opening your first issue here! If you have a question about using Electron Packager, read the support docs. If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. Development and issue triage is community-driven, so please be patient and we will get back to you as soon as we can.

To help make it easier for us to investigate your issue, please follow the contributing guidelines.

welcome[bot] on 30 Jan 2019

Unfortunately, I can't do anything about this in Electron Packager itself. As npm audit states, this is a dependency of mksnapshot, and I can't seem to find the current repository for it.

malept on 30 Jan 2019

mksnapshot is located at https://github.com/electron-archive/node-mksnapshot, which apparently in the electron archives. @malept can you take another look at this? I don't know who works in that org, but maybe someone in the electron group does. With it using a fixed version, this is a big problem, and if that dependency cannot be upgraded it should be removed.