Remote Memory Exposure in [email protected] > [email protected] > [email protected]

[kohms]

Hi,

I am checking my projects with nsp and get the following findings.

Could you please update dependencies or remove the follow module if possible?
It looks like that the project is no longer active, the same issue was reported on Jun 10, 2016 at the follow project iriscouch/follow#84.
The last commit on master was on May 24, 2015.

https://nodesecurity.io/advisories/309
https://nodesecurity.io/advisories/77

Thanks in advance
Konrad

[janl]

Should we switch to cloudant-follow? https://github.com/cloudant-labs/cloudant-follow

[janl]

PR here: #51

[kohms]

Cool thanks for figuring that out.
👍 for PR #51

[kohms]

@dscape could you have a look please?

[dscape]

I can have a look, but since I'm no longer a maintainer would be good to understand what the scope is! Appreciate the feedback

[loay]

@dscape
There are security vulnerabilities.

(+) 2 vulnerabilities found
 Name      Installed   Patched                      Path                                                       More Info                              
 request   2.55.0      >=2.68.0                     [email protected] > [email protected] > [email protected]                https://nodesecurity.io/advisories/309 
 hawk      2.3.1       >=3.1.3 < 4.0.0 || >=4.1.1   [email protected] > [email protected] > [email protected] > [email protected]   https://nodesecurity.io/advisories/77  

Even if we update to the last version of follow, it won't fix the issue, since follow is using an outdated versions of request and hawk .. so we need follow to update or to use another library instead of follow.

[loay]

The related pr is being merged: #51
Can the release team let us know when it will be released so the security changes take effect? Thank you

[garrensmith]

6.4.2 fixes this

[kohms]

Thanks for fixing :-)