Newman: npm audit fails: upgrade handlebars >=4.5.3

Created on 22 Nov 2019 · 9Comments · Source: postmanlabs/newman

Newman Version (can be found via newman -v): 4.5.6
OS details (type, version, and architecture): Mac OS
Are you using Newman as a library, or via the CLI? CLI
Did you encounter this recently, or has this bug always been there: recently
Expected behaviour: npm audit passes
Command / script used to run Newman: npm audit
Sample collection, and auxiliary files (minus the sensitive details): NA
Screenshots (if applicable):

$ cat package.json
{
  "dependencies": {
    "newman": "^4.5.6"
  }
}

$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ newman                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ newman > postman-runtime > handlebars                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1316                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ newman                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ newman > postman-runtime > handlebars                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1324                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ newman                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ newman > postman-runtime > handlebars                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1325                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 high severity vulnerabilities in 357 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

Source

anishkny

👍9

Most helpful comment

Please fix this!

memark on 5 Dec 2019

👍2

All 9 comments

Please fix this!

memark on 5 Dec 2019

👍2

Looks like this is fixed in postman-runtime version 7.21.0

markdreyer on 5 Dec 2019

👍1

@markdreyer dunno about postman-runtime, this is about newman package:

$ npm i -S newman

+ [email protected]
added 160 packages from 196 contributors and audited 357 packages in 4.648s
found 3 high severity vulnerabilities  # <-------- !
  run `npm audit fix` to fix them, or `npm audit` for details

anishkny on 5 Dec 2019

If you read the dependency chain, you would see:
newman > postman-runtime > handlebars

I don't maintain newman, I'm just a guy trying to help you out and tell you the version that fixed it, but thanks for the thumbs down.

markdreyer on 6 Dec 2019

👍1

@markdreyer is right. We’ve updated the underlying package and will upgrade Newman soon.

Please note that npm audit failure does not imply that newman is vulnerable. In most cases, the vulnerability of the underlying package is not exploitable via newman because of the way newman uses the package.

shamasis on 6 Dec 2019

@shamasis sure but our automated tests fail because we run npm audit which eventually fails. Actually, its easy enough to run npm audit as part of CI - would you accept a PR on adding that to TravisCI?

anishkny on 6 Dec 2019

@anishkny I completely understand that. We’ve seen a number of newman users choose to run npm audit as part of CI. But since, we cannot blind update every package that is updated or is flagged for security without actually verifying if the update isn’t breaking existing features, adding it to CI is more of a noise for us. There are dedicated individuals deeply looking into security aspects of newman and its dependencies and they haven’t managed to exploit them with any significant CVSS score.

We do not want to be in a situation where a three level or four level deep dependency has a non-exploitable security fix and the maintainers of packages won’t entertain us requesting to patch their repositories without really understanding the security aspects.

If you’ve discovered exploits of npm security audit on newman, please let us know. Until then, we will patch it as part of our next maintenance release, which, I think is a couple of weeks from now. (@codenirvana can provide more accurate date.)

shamasis on 6 Dec 2019

@shamasis thanks - thats good enough for me - please close this issue when its patched to let us know! Cheers! (and by the way absolutely love Postman and esp. newman keep up the great work - sorry if I came off as angry haha)

anishkny on 6 Dec 2019

❤1

Fixed in Newman v4.5.7.