NPM 6 - vulnerability - Memory Exposure

[ghost]

Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > request > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598

[daniel-ac-martin]

Looks like this was fixed but the author neglected to publish v0.6.1 on NPM.

[thexpand]

When will v.0.6.1 be released on NPM?
https://www.npmjs.com/package/tunnel-agent

[igorescobar]

+1

[raitono]

I'm seeing the fix in my version I got from NPM. Just seems the version number wasn't updated to match. It was a simple one line change, so you should easily be able to see if you have the fix as well. Check line 131 of the index.js file. Link to commit

[mattjbrent]

its been almost a month. Can we please get the NPM package version updated please?

[ghost]

Please publish to NPM!?

[Pablo-Araya]

+1

[ianmubangizi]

Am totally new to the npm audit, I want to know if I can actually continue developing without applying this fix because I have tried updating to the latest 0.6.0 tunnel-agent package but it won't fix the warning.

[nvdlug]

Please run npm publish

[igorescobar]

Please run npm publish

[jasonkhanlar]

Is this safe to use without the npm publish ?

[yetzt]

can someone press npm publish on this? @mikeal @simov

[yetzt]

ah, i just saw, its broken downstream; nevermind.

[joshwilkerson]

+1 ☝️

[ghost]

npm run publish 😭

[mikeal]

There are no commits in this repo since the last release so I'm not sure exactly what it is that I'm meant to be releasing?

[coughlanio]

@mikeal I think people are assuming there's a fix for the current NPM memory exposure audit error, why the version bump to 0.6.1 if there's no changes since 0.6.0?

 Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin >            │
│               │ bin-wrapper > download > caw > tunnel-agent                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598   

[mikeal]

Odd release numbers don't get published, they are only in-tree, this makes it easier to see when people are using git checkouts rather than npm releases.

[sp90]

What is the status of this package?

[jasonkhanlar]

Oh my. I am still waiting on this to be fixed for npm also, re: #41

SEMVER WARNING: Recommended action is a potentially breaking change

[bakkerme]

For everyone coming to this issue after seeing this in their npm audit, the latest version, v0.6.0 has patched this issue. Most likely, the reason you are seeing the advisory is because a dependency nested somewhere in your application is relying on an unpatched version of this package, likely many layers down.

In the example above, node-sass > request > tunnel-agent is the dependency chain that linked to the vulnerable tunnel-agent. You can see this chain under the Path header in npm audit. It's possible that every part of this chain needs to update their dependencies to fix the vulnerability.

Your best bet is to see if you're project's direct dependency, in this case node-sass, has updated their dependencies to a version that is fixed down the line.