Node-slack-sdk: [Security] DOS vulnerability in requirement [email protected]

Created on 8 Nov 2017  路  8Comments  路  Source: slackapi/node-slack-sdk

Description

https://nodesecurity.io/advisories/550

What type of issue is this? (place an x in one of the [ ])

  • [ ] bug
  • [ ] enhancement (feature request)
  • [ ] question
  • [ ] documentation related
  • [ ] testing related
  • [ ] discussion
  • [x] security

Requirements (place an x in each of the [ ])

  • [x] I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • [x] I've read and agree to the Code of Conduct.
  • [x] I've searched for any related issues and avoided creating a duplicate issue.

Bug Report

The ws module needs to be updated to >= 3.3.1

Reproducible in:

@slack/client version: 3.14.1

node version:

OS version(s): 6.9.1 (all)

Steps to reproduce:

1.
2.
3.

Expected result:

What you expected to happen

Actual result:

What actually happened

Attachments:

Logs, screenshots, screencast, sample project, funny gif, etc.

enhancement good first issue

All 8 comments

[email protected] is not vulnerable. Also I guess ws is only used as a client here in which case it doesn't really matter as the vulnerability is on the server.

It would be nice to update ws to the latest version nonetheless.

thanks for the analysis folks. i agree, it would be great to upgrade ws. i'm hoping to attack this (and other dependency updates) after we ship v3.15.0. i don't think updating this package would break the module's API since this module isn't exposed directly, but if its grouped with updating many other deps, the total effect is likely to change some behavior and i feel better about doing it in a major version bump.

how does that sound?

@aoberoi I agree on the major version bump. ws >= 2 only supports Node.js 4 or greater.

I've asked nsp to update the advisory regarding 1.1.15, just in case.
Not sure their format accepts such conditions (>=3.3.1 or>=1.1.5).

The correct range of vulnerable versions is >=0.6.0 <3.3.1 excluding 1.1.5

This is now passing the nsp check. Thanks!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

thepont picture thepont  路  17Comments

jayjanssen picture jayjanssen  路  13Comments

aoberoi picture aoberoi  路  12Comments

amkoehler picture amkoehler  路  13Comments

danielravina picture danielravina  路  16Comments