Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

still active? #62

Open
machinshin opened this issue Sep 13, 2019 · 2 comments
Open

still active? #62

machinshin opened this issue Sep 13, 2019 · 2 comments

Comments

@machinshin
Copy link

Is this library still actively developed?

I ask because I saw this on my 'trending' list today and installed it on a project and run npm audit and this comes back::

                   === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.3.4 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/23
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ VBScript Content Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.3.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/24
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Sanitization bypass using HTML Entities │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.3.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/101
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.3.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/531
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Cross-Site Scripting │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ mustache │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.2.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > mustache │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/62
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > jasmine-node > gaze > fileset > glob > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/118
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > jasmine-node > gaze > fileset > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/118
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > jasmine-node > gaze > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/118
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Command Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.10.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > jasmine-node > jasmine-growl-reporter > growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/146
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ mime │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 1.4.1 < 2.0.0 || >= 2.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > less > mime │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/535
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ clean-css │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.1.11 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ autodoc │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ autodoc > less > clean-css │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/785
└───────────────┴──────────────────────────────────────────────────────────────┘
found 11 vulnerabilities (1 low, 2 moderate, 7 high, 1 critical) in 45646 scanned packages
11 vulnerabilities require manual review. See the full report for details.
@machinshin
Copy link
Author

full audit report

{
"actions": [
{
"action": "review",
"module": "marked",
"resolves": [
{
"id": 23,
"path": "autodoc>marked",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 24,
"path": "autodoc>marked",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 101,
"path": "autodoc>marked",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 531,
"path": "autodoc>marked",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "review",
"module": "mustache",
"resolves": [
{
"id": 62,
"path": "autodoc>mustache",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "review",
"module": "minimatch",
"resolves": [
{
"id": 118,
"path": "autodoc>jasmine-node>gaze>fileset>glob>minimatch",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 118,
"path": "autodoc>jasmine-node>gaze>fileset>minimatch",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 118,
"path": "autodoc>jasmine-node>gaze>minimatch",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "review",
"module": "growl",
"resolves": [
{
"id": 146,
"path": "autodoc>jasmine-node>jasmine-growl-reporter>growl",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "review",
"module": "mime",
"resolves": [
{
"id": 535,
"path": "autodoc>less>mime",
"dev": false,
"optional": true,
"bundled": false
}
]
},
{
"action": "review",
"module": "clean-css",
"resolves": [
{
"id": 785,
"path": "autodoc>less>clean-css",
"dev": false,
"optional": true,
"bundled": false
}
]
}
],
"advisories": {
"23": {
"findings": [
{
"version": "0.3.2",
"paths": [
"autodoc>marked"
]
}
],
"id": 23,
"created": "2015-10-17T19:41:46.382Z",
"updated": "2019-06-24T14:43:42.223Z",
"deleted": null,
"title": "Regular Expression Denial of Service",
"found_by": {
"name": "Barış Soner Uşaklı"
},
"reported_by": {
"name": "Barış Soner Uşaklı"
},
"module_name": "marked",
"cves": [
"CVE-2015-8854"
],
"vulnerable_versions": "<=0.3.3",
"patched_versions": ">=0.3.4",
"overview": "Versions 0.3.3 and earlier of marked are affected by a regular expression denial of service ( ReDoS ) vulnerability when passed inputs that reach the em inline rule.\n",
"recommendation": "Update to version 0.3.4 or later.",
"references": "- Regular Expression Denial of Service - OWASP\n- Issue 497",
"access": "public",
"severity": "high",
"cwe": "CWE-400",
"metadata": {
"module_type": "Multi.Library",
"exploitability": 5,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/23"
},
"24": {
"findings": [
{
"version": "0.3.2",
"paths": [
"autodoc>marked"
]
}
],
"id": 24,
"created": "2015-10-17T19:41:46.382Z",
"updated": "2019-06-24T14:43:51.258Z",
"deleted": null,
"title": "VBScript Content Injection",
"found_by": {
"name": "Xiao Long"
},
"reported_by": {
"name": "Xiao Long"
},
"module_name": "marked",
"cves": [
"CVE-2015-1370"
],
"vulnerable_versions": "<=0.3.2",
"patched_versions": ">=0.3.3",
"overview": "Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set. \n\n## Proof of Concept ( IE10 Compatibility Mode Only )\n\n[xss link](vbscript:alert(1&#41;)\n\nwill get a link\n\n<a href=\"vbscript:alert(1)\">xss link</a>",
"recommendation": "Update to version 0.3.3 or later.",
"references": "- Issue 492",
"access": "public",
"severity": "moderate",
"cwe": "CWE-74",
"metadata": {
"module_type": "Multi.Library",
"exploitability": 1,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/24"
},
"62": {
"findings": [
{
"version": "0.7.2",
"paths": [
"autodoc>mustache"
]
}
],
"id": 62,
"created": "2015-12-14T17:05:06.592Z",
"updated": "2018-02-26T21:54:28.175Z",
"deleted": null,
"title": "Cross-Site Scripting",
"found_by": {
"name": "Matias P. Brutti"
},
"reported_by": {
"name": "Matias P. Brutti"
},
"module_name": "mustache",
"cves": [
"CVE-2015-8862"
],
"vulnerable_versions": "<2.2.1",
"patched_versions": ">=2.2.1",
"overview": "Versions of mustache prior to 2.2.1 are affected by a cross-site scripting vulnerability when attributes in mustache templates are not quoted.\n\n\n\n### Example\nTemplate:\n<a href={{foo}}/>\n\nInput:\n{ 'foo' : 'test.com onload=alert(1)'}\n\nRendered result:\n<a href=test.com onload=alert(1)/>",
"recommendation": "Update to version 2.2.1 or later.\nAlternatively, ensure that all attributes in hmustache templates are encapsulated with quotes.",
"references": "Commit #378bcca",
"access": "public",
"severity": "high",
"cwe": "CWE-79",
"metadata": {
"module_type": "Network.Library",
"exploitability": 7,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/62"
},
"101": {
"findings": [
{
"version": "0.3.2",
"paths": [
"autodoc>marked"
]
}
],
"id": 101,
"created": "2016-04-18T16:26:59.000Z",
"updated": "2019-06-24T14:59:12.354Z",
"deleted": null,
"title": "Sanitization bypass using HTML Entities",
"found_by": {
"name": "Matt Austin"
},
"reported_by": {
"name": "Matt Austin"
},
"module_name": "marked",
"cves": [
"CVE-2016-10531"
],
"vulnerable_versions": "<=0.3.5",
"patched_versions": ">=0.3.6",
"overview": "Affected versions of marked are susceptible to a cross-site scripting vulnerability in link components when sanitize:true is configured. \n\n## Proof of Concept\n\nThis flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.\n\nFor example:\n\nA link URI such as\n\njavascript&#x58document;alert&#40;1&#41;\n\nRenders a valid link that when clicked will execute alert(1).",
"recommendation": "Update to version 0.3.6 or later.",
"references": "- PR #592\n- Commit #2cff859",
"access": "public",
"severity": "high",
"cwe": "CWE-79",
"metadata": {
"module_type": "Multi.Library",
"exploitability": 7,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/101"
},
"118": {
"findings": [
{
"version": "0.3.0",
"paths": [
"autodoc>jasmine-node>gaze>fileset>glob>minimatch"
]
},
{
"version": "0.2.14",
"paths": [
"autodoc>jasmine-node>gaze>fileset>minimatch",
"autodoc>jasmine-node>gaze>minimatch"
]
}
],
"id": 118,
"created": "2016-05-25T16:37:20.000Z",
"updated": "2018-03-01T21:58:01.072Z",
"deleted": null,
"title": "Regular Expression Denial of Service",
"found_by": {
"name": "Nick Starke"
},
"reported_by": {
"name": "Nick Starke"
},
"module_name": "minimatch",
"cves": [
"CVE-2016-10540"
],
"vulnerable_versions": "<=3.0.1",
"patched_versions": ">=3.0.2",
"overview": "Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).\n\n\n## Proof of Concept\n\nvar minimatch = require(“minimatch”);\n\n// utility function for generating long strings\nvar genstr = function (len, chr) {\n var result = “”;\n for (i=0; i<=len; i++) {\n result = result + chr;\n }\n return result;\n}\n\nvar exploit = “[!” + genstr(1000000, “\\\\”) + “A”;\n\n// minimatch exploit.\nconsole.log(“starting minimatch”);\nminimatch(“foo”, exploit);\nconsole.log(“finishing minimatch”);\n",
"recommendation": "Update to version 3.0.2 or later.",
"references": "",
"access": "public",
"severity": "high",
"cwe": "CWE-400",
"metadata": {
"module_type": "Multi.Library",
"exploitability": 4,
"affected_components": "Internal::Code::Function::minimatch({type:'args', key:0, vector:{type:'string'}})"
},
"url": "https://npmjs.com/advisories/118"
},
"146": {
"findings": [
{
"version": "1.7.0",
"paths": [
"autodoc>jasmine-node>jasmine-growl-reporter>growl"
]
}
],
"id": 146,
"created": "2016-09-06T12:49:40.000Z",
"updated": "2019-06-24T14:53:20.802Z",
"deleted": null,
"title": "Command Injection",
"found_by": {
"name": "Cristian-Alexandru Staicu"
},
"reported_by": {
"name": "Cristian-Alexandru Staicu"
},
"module_name": "growl",
"cves": [
"CVE-2017-16042"
],
"vulnerable_versions": "<1.10.2",
"patched_versions": ">=1.10.2",
"overview": "Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.",
"recommendation": "Update to version 1.10.2 or later.",
"references": "- Issue #60\n- PR #61",
"access": "public",
"severity": "critical",
"cwe": "CWE-94",
"metadata": {
"module_type": "CLI.Library",
"exploitability": 5,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/146"
},
"531": {
"findings": [
{
"version": "0.3.2",
"paths": [
"autodoc>marked"
]
}
],
"id": 531,
"created": "2017-09-21T04:12:52.054Z",
"updated": "2018-04-09T00:28:59.635Z",
"deleted": null,
"title": "Regular Expression Denial of Service",
"found_by": {
"name": "Cristian-Alexandru Staicu"
},
"reported_by": {
"name": "Cristian-Alexandru Staicu"
},
"module_name": "marked",
"cves": [
"CVE-2017-16114"
],
"vulnerable_versions": "<0.3.9",
"patched_versions": ">=0.3.9",
"overview": "Affected versions of marked are vulnerable to a regular expression denial of service. \n\nThe amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.",
"recommendation": "Update to version 0.3.9 or later.",
"references": "Issue #937",
"access": "public",
"severity": "high",
"cwe": "CWE-400",
"metadata": {
"module_type": "Multi.Library",
"exploitability": 5,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/531"
},
"535": {
"findings": [
{
"version": "1.2.11",
"paths": [
"autodoc>less>mime"
]
}
],
"id": 535,
"created": "2017-09-25T19:02:28.152Z",
"updated": "2018-04-09T00:38:22.785Z",
"deleted": null,
"title": "Regular Expression Denial of Service",
"found_by": {
"name": "Cristian-Alexandru Staicu"
},
"reported_by": {
"name": "Cristian-Alexandru Staicu"
},
"module_name": "mime",
"cves": [
"CVE-2017-16138"
],
"vulnerable_versions": "< 1.4.1 || > 2.0.0 < 2.0.3",
"patched_versions": ">= 1.4.1 < 2.0.0 || >= 2.0.3",
"overview": "Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.",
"recommendation": "Update to version 2.0.3 or later.",
"references": "Issue #167",
"access": "public",
"severity": "moderate",
"cwe": "CWE-400",
"metadata": {
"module_type": "Multi.Library",
"exploitability": 4,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/535"
},
"785": {
"findings": [
{
"version": "2.0.8",
"paths": [
"autodoc>less>clean-css"
]
}
],
"id": 785,
"created": "2019-02-15T21:40:03.940Z",
"updated": "2019-02-15T21:41:13.431Z",
"deleted": null,
"title": "Regular Expression Denial of Service",
"found_by": {
"link": "https://github.com/davisjam",
"name": "Jamie Davis"
},
"reported_by": {
"link": "",
"name": "Santosh Rao"
},
"module_name": "clean-css",
"cves": [],
"vulnerable_versions": "<4.1.11",
"patched_versions": ">=4.1.11",
"overview": "Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.",
"recommendation": "Upgrade to version 4.1.11 or higher.",
"references": "- GitHub Commit",
"access": "public",
"severity": "low",
"cwe": "CWE-185",
"metadata": {
"module_type": "",
"exploitability": 4,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/785"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 1,
"moderate": 2,
"high": 7,
"critical": 1
},
"dependencies": 2145,
"devDependencies": 43494,
"optionalDependencies": 16,
"totalDependencies": 45646
},
"runId": "76301f10-b207-4551-bcb0-150d363020ef"
}

@bensyverson
Copy link

No, it's not actively developed... Checkout the commit history

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@machinshin @bensyverson