Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@uppy/companion 0.16.0 depends on morgan 1.9.0 which introduces a moderate code injection vulnerability #1227

Closed
manuelkiessling opened this issue Jan 7, 2019 · 1 comment
Closed

@uppy/companion 0.16.0 depends on morgan 1.9.0 which introduces a moderate code injection vulnerability #1227

manuelkiessling opened this issue Jan 7, 2019 · 1 comment
Labels
Companion The auth server (for Instagram, GDrive, etc) and upload proxy (for S3)

Comments

@manuelkiessling
Copy link
Contributor

The following is the output form npm audit after installing @uppy/companion at 0.16.0:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ morgan                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.9.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @uppy/companion [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @uppy/companion > morgan                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/736                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
@arturi arturi added the Companion The auth server (for Instagram, GDrive, etc) and upload proxy (for S3) label Jan 7, 2019
@goto-bus-stop
Copy link
Contributor

Fixing in #1232, thanks for the report!

goto-bus-stop added a commit that referenced this issue Jan 7, 2019
@goto-bus-stop
Merge pull request #1232 from transloadit/fix/morgan-security
0d232a1 
companion: Update morgan dependency, fixes #1227
@snyk-bot snyk-bot mentioned this issue Dec 18, 2020
Open
This was referenced Dec 30, 2020
Open
Open
Open
Open
Closed
Open
Open
Open
Open
Open
Closed
Closed
Open
Open
Open
Open
Open
Open
Closed
This was referenced Dec 10, 2021
Open
Open
Open
@snyk-bot snyk-bot mentioned this issue Dec 10, 2021
Open
This was referenced Aug 11, 2022
Open
Open
HeavenFox pushed a commit to docsend/uppy that referenced this issue Jun 27, 2023
@goto-bus-stop
companion: Update morgan dependency, fixes transloadit#1227
5cf5df0
This was referenced May 7, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Companion The auth server (for Instagram, GDrive, etc) and upload proxy (for S3)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@manuelkiessling @goto-bus-stop @arturi @ifedapoolarewaju