Karma: Unmaintained and vulnerable dependency
[email protected] has a dependency on optimist which is no longer maintained and has a child dependency of [email protected]. Minimist is has a known vulnerability prior to version 1.2.2 that allows adding and modifying properties of Object.prototype.
https://nvd.nist.gov/vuln/detail/CVE-2020-7598
It appears that some work has been started on this in #2473.
chillheart
All 9 comments
Please fix it as soon as possible or give any alternative so that it doesn't produce security errors.
codertushar
on 20 Mar 2020
any update on this??
sozakir
on 23 Mar 2020
If this is important for you, please send a pull request. Since karma is a test engine and not part of a online product the risk of prototype injection is very low. That said it would be great to see these fixed.
johnjbarton
on 23 Mar 2020
It is quite important as security scans started showing vulnerabilities in projects that use karma. The security team will allow exception here as this is a package required for tests only but It makes the release process very painful.
jarrodek
on 24 Mar 2020
If this is important for you, please send a pull request.
johnjbarton
on 25 Mar 2020
Would be fixed by #3451
Ionaru
on 26 Mar 2020
Hey folks! Is there any other workaround to handle this vulnerability whilst the PR is merged?
codesandtags
on 27 Mar 2020
Very happy to see the fix looks merged now. Is there a rough idea of when it would make it into a release? (@johnjbarton)
andyrooger
on 31 Mar 2020
I'm really glad to see that this is already completed, I'll keep an eye out for the next release. Good work everyone!
colbyhill21
on 9 Apr 2020
Related issues
mboughaba
路
3Comments
ORESoftware
路
4Comments
HerrDerb
路
5Comments
jhildenbiddle
路
4Comments
IgorMinar
路
5Comments
Most helpful comment
Very happy to see the fix looks merged now. Is there a rough idea of when it would make it into a release? (@johnjbarton)