Security advisory "Prototype Pollution"

[sidhuko]

0.2.0 has a security advisory applicable.

https://nodesecurity.io/advisories/577

[dogboydog]

Noticed this as well. It seems lodash has been removed as a dependency from the GitHub version of this package, but that the version number hasn't been incremented since then / no new package has been published?

(https://github.com/jamestalmage/cli-table2/pull/27/files)

If I do npm pack cli-table2 I get a package with lodash included in the dependencies, different from the current master

[NorthernMan54]

And that was back in 2016.....

[stanglt]

I made a quick fix for this issue. This is only for version 0.2.0. The unreleased state of the code is not using lodash at all as it seems to me. To fix this for you, you can add a "resolutions" area in your package.json with my fork as long as the pull request is not merged. Sorry for the typos in the branch name, i was in a hurry...

[...]
  "resolutions": {
    "cli-table2": "https://github.com/civilatio/cli-table2.git#protypePolutionFix"
  },
[...]

[thomasyuan]

@jamestalmage Should we release a new version to fix this non-exist issue?

[Turbo87]

as you can see in #43 we have forked the project to https://github.com/cli-table/cli-table3 and have published a new [email protected] release for the current master branch :)

[mkj28]

Nice... if only we can get npm to switch to cli-table3 :)

[stanglt]

You can for your own with a resolutions block, as i stated above, but for npm itself, all packages have to change their dependencies.

[Turbo87]

wasn't aware that npm uses it, but I guess we can send them a PR that updates the dependency

update: npm/npm#20955 😉

[codemonkeyking]

I think the big offender is nsp itself. This isn't even required as a real dependency for me but it gets flagged by the security warning via nsp.

[Turbo87]

@codemonkeyking the problem was the old version of lodash. cli-table3 is no longer using it, so there is no issue anymore.