On 12/13/19 8:42 AM, Alberto Viana wrote:

During my tests and install of 389-ds cockpit plugin via npm I got this warning: 

"overview": "Versions of `handlebars` prior to 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.",
      "recommendation": "Upgrade to version 4.5.3 or later.",

I had to update package-lock.json  pointing to the latest version of handlebars(4.5.3) in order to install it.
There are a lot of npm packages in our cockpit plugin, and unfortunately audit issues come up very often. We try and run "npm audit fix" from 389-ds-base/src/cockpit/389-console on a regular basis, and then do upstream releases accordingly.  it's just the nature of the beast :-/

Just to let you guys know.


Alberto Viana

389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

389 Directory Server Development Team