high severity vulnerability in netmask plugin

[zhyrin]

1. What kind of issue are you reporting?

• A bug in a plugin of nodemailer-mailgun-transport ^2.0.2 (netmask plugin)
• High severity vulnerability

2. State your problem here:
   Run "npm audit" or "npm install" with nodemailer-mailgun-transport ^2.0.2
   gives me:
   "netmask npm package vulnerable to octal input data"
   "patched in >=2.0.1"

Netmask is used by up to 300k live projects. Vulnerability reported on about two days ago.

[orliesaurus]

Hey, I tried to patch the package-lock.json to use a NON-VULNERABLE version of netmask - I think it worked? Let me know what you're seeing now :)

[anachronic]

Looks fixed to me in a clean checkout + npm install

I'm still seeing it in a production project through yarn audit, though, I suspect it hasn't been published

[orliesaurus]

@anachronic I published in npm as 2.0.3 - https://www.npmjs.com/package/nodemailer-mailgun-transport

[rfox12]

Apparently nodemailer-mailgun-transport id using a now non-official mailgun library? Is this an easy swap to the "official" version? Seems like the proper dependency should be "mailgun.js" and then that will alleviate the security vulnerability (and hopefully help for future issues). Discussion here: mailgun/mailgun.js#122

[zhyrin]

Yeah just change the dependency and rewrite the code bit of code that are used for the official library.
official plugin: https://www.npmjs.com/package/mailgun.js
deprecated plugin: https://www.npmjs.com/package/mailgun-js (its referenced in mailgun docs, hence the confusion)

official uses '...require=('mailgun.js) as opposed to ...require('mailgun-js')

Tired, but hope it was a tldr

[orliesaurus]

@zhyrin guess someone is gonna have to do some research to see how much code rewrite is needed

[zhyrin]

not interested

[anachronic]

@zhyrin guess someone is gonna have to do some research to see how much code rewrite is needed

Is #104 not a fix for this?

[orliesaurus]

not interested

great! at least you're honest about how you like open source

[orliesaurus]

Is #104 not a fix for this?

let me take a look

[omerlh]

Look like the latest version of mail gun is still vulnerable? https://snyk.io/advisor/npm-package/mailgun-js

[orliesaurus]

@omerlh We've upgraded to the other one - that one is deprecated

[omerlh]

Which one? I can see the latest version is still vulnerable: https://snyk.io/advisor/npm-package/nodemailer-mailgun-transport

[anachronic]

I believe this is solved in master (see #104), however, 2.0.3 (last version published) seems to point to the last commit before the fix.

Although I'm not sure, maybe publishing a new version solves this?

[shawncarr]

@orliesaurus can we get a new release based on @anachronic's point?

[orliesaurus]

Yeah I definitely need to push the update that is in master! Thanks y'all!

[axelauvinen]

Any timeline on this version bump? Should this ticket be closed before the latest version is updated to master?