Two vulnerabilities are introduced in the package

[paimon0715]

Hi @admc ,I’d like to report two vulnerabilities

Issue

There are two vulnerabilities (1 high and 1 low severity) introduced in wd.The details are as follows:
In wd@0.3.*:Vulnerability npmjs-advisories-1464 (high severity) is detected in package cryptiles(versions:>=0.0.1 <4.1.2):https://www.npmjs.com/advisories/1464
In wd@0.2.*: One is vulnerability npmjs-advisories-1464,the other is vulnerability CVE-2017-16137 (low severity),which is detected in package debug(versions:>=1.0.0 <2.6.9,>=3.0.0 <3.1.0):https://snyk.io/vuln/npm:debug:20170905
The above vulnerable packages are referenced by wd via:
1.wd@0.3.12 ➔ request@2.55.0 ➔ hawk@2.3.1 ➔ cryptiles@2.0.5
2.wd@0.2.27 ➔ request@2.36.0 ➔ hawk@1.0.0 ➔ cryptiles@0.2.2
wd@0.2.27 ➔ archiver@0.10.1 ➔ zip-stream@0.3.7 ➔ debug@1.0.5

Solution

Since wd@0.3.* is transitively referenced by 83 downstream projects (e.g., gulp-metal 2.2.3 (latest version),duo 0.15.7 (latest version), duo-test 0.4.1 (latest version), grunt-mocha-webdriver 1.2.2 (latest version), skatejs-build 12.2.0(latest version)),

wd@0.2.* is referenced by 47 downstream projects (e.g., yiewd 0.6.0 (latest version), yeti 0.2.29 (latest version), yogi 0.1.13 (latest version), wd-sync 1.2.5 (latest version), awesome 0.0.7 (latest version)),

If wd removes the vulnerable package from the above versions, then its fixed versions can help downstream users decrease their pain.It’s kind of you to update packages in these versions.

Fixing suggestions

(1）In wd@0.3.*, you can kindly try to perform the following upgrade (not crossing its major versions):
request ~2.55.0 ➔ 2.84.0;

Note:
request 2.84.0 transitively depends on cryptiles@4.1.3(a vulnerability npmjs-advisories-1464 patched version)

(2）In wd@0.2.*, you can kindly try to perform the following upgrades (not crossing their major versions):

1. request ~2.36.0 ➔ 2.84.0;

Note:
request 2.84.0 transitively depends on cryptiles@4.1.3(a vulnerability npmjs-advisories-1464 patched version)

2. archiver ~0.10.0 ➔ ~0.6.1;

Note:
archiver@0.6.1,(>=0.6.1 <0.8.0) transitively depends on debug@0.7.4(a version without vulnerability CVE-2017-16137)

Thank you for your attention to this issue!

Sincerely yours,
Paimon

[paimon0715]

Many active downstream users transitively use the lower versions of wd (@0.3.* and @0.2.* ) (introduced vulnerablities) via unmaintained packages (cannot update their dependencies).If wd@0.3.* ,@0.2.* can fix the issues, the vulnerable patches can be automatically propagated into the active downstream projects.

[jlipps]

Hi @paimon0715 unfortunately this project isn't maintained. If you want to make the appropriate vuln fixes and submit as a PR, I'm happy to merge and publish a new version.

[timstallmann]

Opened #641 to address this