Skip to content

Critical - Command Injection #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MichaelFBA opened this issue May 17, 2018 · 6 comments
Closed

Critical - Command Injection #50

MichaelFBA opened this issue May 17, 2018 · 6 comments

Comments

@MichaelFBA
Copy link

When doing an npm audit

It says not to use this plugin because of its deep deps on macaddress

https://nodesecurity.io/advisories/654

Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ macaddress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ optimize-css-assets-webpack-plugin [dev]                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ optimize-css-assets-webpack-plugin > cssnano >               │
│               │ postcss-filter-plugins > uniqid > macaddress                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/654
@luizgrs
Copy link

luizgrs commented May 23, 2018

scravy/node-macaddress#19

They are trying to find someone to accept the PR...

@NMFR
Copy link
Owner

NMFR commented May 23, 2018

Waiting for the PR or an alternative package.

@NMFR
Copy link
Owner

NMFR commented May 25, 2018

Seems that postcss-filter-plugins dropped the dependency with the vulnerability in version 3.0.1 but cssnano does not have this updated in any stable release.

@pldg
Copy link

pldg commented May 26, 2018

Update cssnano solve the problem, macaddress is no more a dependency (try search for it in node_modules)

@NMFR
Copy link
Owner

NMFR commented May 26, 2018

What version of cssnano? I was trying to stay away from the release candidate versions (aka version 4 right now) given they are not yet marked as stable.

@pldg
Copy link

pldg commented May 26, 2018

@NMFR Version 3.10.0. Try to run npm i -D cssnano, should solve the problem. To check for vulnerability use npm audit, also manually search macaddress in node_modules

@NMFR NMFR closed this as completed in a07eea2 May 27, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MichaelFBA @luizgrs @NMFR @pldg