Skip to content
This repository was archived by the owner on Sep 3, 2022. It is now read-only.

Vulnerable is-email dependency in 4.1.11 #260

Open
vinczemarton opened this issue Dec 14, 2021 · 3 comments
Open

Vulnerable is-email dependency in 4.1.11 #260

vinczemarton opened this issue Dec 14, 2021 · 3 comments

Comments

@vinczemarton
Copy link

I have "@segment/analytics.js-core": "4.1.11", installed.

When running npm audit I get the following error:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Improper Input Validation in is-email                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ is-email                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @segment/analytics.js-core                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @segment/analytics.js-core > segmentio-facade > is-email     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-j377-2x76-558h            │
└───────────────┴──────────────────────────────────────────────────────────────┘

I understand that there is a fix for is-email, but since segmentio-facade depends on the exact version 0.1.0 I'm not sure if it is compatible.

Can you update the dependencies for segmentio-facade and @segment/analytics.js-core that they don't use is-email 0.1.0?
@mkysel
Copy link

mkysel commented Jan 5, 2022
edited
Loading

I've run into the same issue. It seems that segmentio-facade has been renamed to @segment/facade. The newest release of that new name has removed the dependency on is-email.

This diff should fix the security vulnerability

diff --git a/package.json b/package.json
index f72842c..9068476 100644
--- a/package.json
+++ b/package.json
@@ -37,6 +37,7 @@
     "@ndhoule/pick": "^2.0.0",
     "@segment/canonical": "^1.0.0",
     "@segment/cookie": "^1.1.5",
+    "@segment/facade": "^3.4.0",
     "@segment/is-meta": "^1.0.0",
     "@segment/isodate": "^1.0.2",
     "@segment/isodate-traverse": "^1.0.1",
@@ -57,7 +58,6 @@
     "new-date": "^1.0.0",
     "next-tick": "^0.2.2",
     "package-json-versionify": "^1.0.4",
-    "segmentio-facade": "^3.2.7",
     "spark-md5": "^2.0.2",
     "uuid": "^3.4.0"
   },

but some changes to the actual codebase will be required.

remotezygote added a commit to remotezygote/analytics.js-core that referenced this issue Jan 20, 2022
@remotezygote
Update segment facade dependency to new package with non-vulnerable i…
e711a34 
…s-email sub-dependency

Fixes segmentio#260
@remotezygote remotezygote mentioned this issue Jan 20, 2022
Closed
4 tasks
@remotezygote
Copy link

^^^ PR opened with those changes.

@TonyRippy
Copy link

Hi all, any updates on this?

@mkysel mkysel mentioned this issue Mar 14, 2022
Closed
4 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@remotezygote @TonyRippy @mkysel @vinczemarton