-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
high severity vulnerability in netmask plugin #103
Comments
Hey, I tried to patch the |
Looks fixed to me in a clean checkout + I'm still seeing it in a production project through |
@anachronic I published in npm as |
Apparently nodemailer-mailgun-transport id using a now non-official mailgun library? Is this an easy swap to the "official" version? Seems like the proper dependency should be "mailgun.js" and then that will alleviate the security vulnerability (and hopefully help for future issues). Discussion here: mailgun/mailgun.js#122 |
Yeah just change the dependency and rewrite the code bit of code that are used for the official library. official uses '...require=('mailgun.js) as opposed to ...require('mailgun-js') Tired, but hope it was a tldr |
@zhyrin guess someone is gonna have to do some research to see how much code rewrite is needed |
not interested |
great! at least you're honest about how you like open source |
let me take a look |
Look like the latest version of mail gun is still vulnerable? https://snyk.io/advisor/npm-package/mailgun-js |
@omerlh We've upgraded to the other one - that one is deprecated |
Which one? I can see the latest version is still vulnerable: https://snyk.io/advisor/npm-package/nodemailer-mailgun-transport |
I believe this is solved in master (see #104), however, 2.0.3 (last version published) seems to point to the last commit before the fix. Although I'm not sure, maybe publishing a new version solves this? |
@orliesaurus can we get a new release based on @anachronic's point? |
Yeah I definitely need to push the update that is in master! Thanks y'all! |
Any timeline on this version bump? Should this ticket be closed before the latest version is updated to master? |
Run "npm audit" or "npm install" with nodemailer-mailgun-transport ^2.0.2
gives me:
"netmask npm package vulnerable to octal input data"
"patched in >=2.0.1"
Netmask is used by up to 300k live projects. Vulnerability reported on about two days ago.
The text was updated successfully, but these errors were encountered: