Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update ssh2 to the latest version #338

Closed
abmusse opened this issue Jan 31, 2022 · 1 comment · Fixed by #355
Closed

Update ssh2 to the latest version #338

abmusse opened this issue Jan 31, 2022 · 1 comment · Fixed by #355

Comments

@abmusse
Copy link
Member

abmusse commented Jan 31, 2022

We currently use version of ssh2. Version 1.x.x is now available and we should update this and migrate as needed.

Here is info about potentially breaking changes in 1.0.0 mscdex/ssh2#935
@abmusse
Copy link
Member Author

abmusse commented Oct 24, 2022
edited
Loading

GHSA-652h-xwhf-q4h6

The issue only exists on Windows. 
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
This is fixed in version 1.4.0.

# npm audit report

ssh2  <1.4.0
Severity: high
OS Command Injection in ssh2 - https://github.com/advisories/GHSA-652h-xwhf-q4h6
fix available via `npm audit fix --force`
Will install ssh2@1.11.0, which is a breaking change
node_modules/ssh2

1 high severity vulnerability

This was referenced Oct 24, 2022
Merged
Merged
@abmusse abmusse closed this as completed Oct 27, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build(deps): Upgrade ssh2 to latest version IBM/nodejs-itoolkit
1 participant
@abmusse