Shields: NPM audit vulnerability on dependency of gh-badges package

Created on 24 May 2019 · 5Comments · Source: badges/shields

Are you experiencing an issue with...

[ ] [shields.io](https://shields.io/#/)
[ ] My own instance
[x] [gh-badges NPM package](https://www.npmjs.com/package/gh-badges)

:beetle: Description

NPM audit is reporting a moderate severity vulnerability in the "dot" package, which is a dependency of the gh-badges package:

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Command Injection

  Package         dot

  Patched in      No patch available

  Dependency of   gh-badges

  Path            gh-badges > dot

  More info       https://npmjs.com/advisories/798

found 1 moderate severity vulnerability in 97 scanned packages
  1 vulnerability requires manual review. See the full report for details.

This was raised on the dot package's repo: https://github.com/olado/doT/issues/281

However, it seems like that package is not being maintained anymore?

As a result of the dependency on the "dot" package, the gh-badges package will always introduce an NPM audit failure.

:link: Link to the badge

:bulb: Possible Solution

dependencies npm-package

Source

dmyers-mitel

👍4

Most helpful comment

A progress update for folks following this issue. Thanks to heroic work from @chris48s built on what @RedSparr0w and I started, DoT was removed in #4405

It's not yet in master, though. From https://github.com/badges/shields/pull/4459#issuecomment-572731235:

I've merged this onto the v3-dev branch. Over the weekend I'll review where I got to with the v3 roadmap: what else needs to go into v3.0/what can wait till v3.1 and pick up the rest of this. I'd like to get to a stage where we can ship this sooner rather than later.

paulmelnikow on 9 Jan 2020

🎉3

All 5 comments

Thanks @dmyers-mitel

calebcartwright on 24 May 2019

Any planned replacements?

brettz9 on 25 Nov 2019

Yep, see the issue linked in the comment above.

paulmelnikow on 25 Nov 2019

👍1

A progress update for folks following this issue. Thanks to heroic work from @chris48s built on what @RedSparr0w and I started, DoT was removed in #4405

It's not yet in master, though. From https://github.com/badges/shields/pull/4459#issuecomment-572731235:

I've merged this onto the v3-dev branch. Over the weekend I'll review where I got to with the v3 roadmap: what else needs to go into v3.0/what can wait till v3.1 and pick up the rest of this. I'd like to get to a stage where we can ship this sooner rather than later.

paulmelnikow on 9 Jan 2020

🎉3

Hello.

It has been a long road, but we've just published a release candidate of version 3 of the NPM package which includes (along with other changes) new badge rendering code which does not depend on the dot template library.

One of the other changes we're making is we're renaming the package to badge-maker, so the release candidate is available at: https://www.npmjs.com/package/badge-maker/v/3.0.0-rc1

The plan is that we will collect a bit of feedback on this before publishing a stable version and deprecating the gh-badges package in the fairly near future. If you're interested in trying out the new version you can npm install badge-maker and consult the changelog for guidance on upgrading https://github.com/badges/shields/blob/master/badge-maker/CHANGELOG.md#300