Newman: Please fix security issues

Created on 1 Nov 2018  路  3Comments  路  Source: postmanlabs/newman

This project has several vulnerabilities in the dependencies as reported by npm audit.

  1. Newman Version (can be found via newman -v): 4.1.0
  2. OS details (type, version, and architecture): macOS Version 10.13.6
  3. Are you using Newman as a library, or via the CLI?: library
  4. Did you encounter this recently, or has this bug always been there: since npm 5.7 added npm audit command
  5. Expected behaviour: 0 vulnerabilities found
  6. Command / script used to run Newman: npm audit on project that has "newman": "^4.1.0", ad dev dependency
  7. Sample collection, and auxiliary files (minus the sensitive details):
  8. Screenshots (if applicable):
    image

Steps to reproduce the problem:

  1. create new node project
  2. add newman as dev dependency
  3. run npm i
  4. run npm audit
  5. observe audit report with 3 high vulnerabilites
security
Source
picture vbtelus

Most helpful comment

@vbtelus Thanks for opening this issue. Due to increased friction resulting from hawk being included in request, it was replaced with an in-house implementation here and removed in request v2.87.0. The v4.1.0 release of Newman uses a fork of request based off of v2.86.1. The current unreleased version of Newman effectively uses v2.88.1 (as can be seen here: https://github.com/postmanlabs/newman/blob/develop/package.json#L55). Thus, these vulnerabilities will be addressed in the next Newman release.

If you'd like, you can follow the original discussion that resulted in the removal of hawk from request here: https://github.com/request/request/issues/2831

picture kunagpal on 1 Nov 2018
👍3

All 3 comments

@vbtelus Thanks for opening this issue. Due to increased friction resulting from hawk being included in request, it was replaced with an in-house implementation here and removed in request v2.87.0. The v4.1.0 release of Newman uses a fork of request based off of v2.86.1. The current unreleased version of Newman effectively uses v2.88.1 (as can be seen here: https://github.com/postmanlabs/newman/blob/develop/package.json#L55). Thus, these vulnerabilities will be addressed in the next Newman release.

If you'd like, you can follow the original discussion that resulted in the removal of hawk from request here: https://github.com/request/request/issues/2831

kunagpal picture kunagpal on 1 Nov 2018
👍3

@vbtelus Newman v4.2.1 resolves the first and third vulnerabilities, the second will require code changes in our dependency chain. I'll keep this issue open until that is resolved.

kunagpal picture kunagpal on 3 Nov 2018
👍1

@vbtelus This has been fixed in v4.2.2

kunagpal picture kunagpal on 7 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Vijayabaskar03 picture Vijayabaskar03  路  4Comments
leonvangendt picture leonvangendt  路  5Comments
saikatharryc picture saikatharryc  路  3Comments
al-tr picture al-tr  路  4Comments
DotNetRockStar picture DotNetRockStar  路  5Comments