Netmask security vulnerability

[myfancypants]

This dependency now has a High security rating from npm https://npmjs.com/advisories/1658

Due to the number of linked dependencies that ultimately import netmask, it is hard to say if there would be any unforeseen breakage with imported the patched version of >=2.0.1.

[mattisx]

This is blocking us as well.

[shaijut]

You are referring to Non official library , which has the issue. I am using this official library which doesn't have any security vulnerability.

#122

[zacharytyhacz]

getting same vulnerability

[olexandr-mazepa]

This package doesn't have this security vulnerability

[zacharytyhacz]

@olexandr-mazepa

I must push back against your screen shot and ask for context. Because this vulnerability is very real and can be reproduced.

Attempting to force the audit fix with both npm and yarn do not fix anything. The vulnerability from netmask remains.

• Look at this bare simple repo that reproduces the vulnerability
• Look at my commands below creating the repo above

zac@smg-macmini:~/Projects
> mkdir mailgun

zac@smg-macmini:~/Projects
> cd mailgun/

zac@smg-macmini:~/Projects/mailgun
> npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.

See `npm help init` for definitive documentation on these fields
and exactly what they do.

Use `npm install <pkg>` afterwards to install a package and
save it as a dependency in the package.json file.

Press ^C at any time to quit.
package name: (mailgun)
version: (1.0.0)
description:
entry point: (index.js)
test command:
git repository:
keywords:
author:
license: (ISC)
About to write to /Users/zac/Projects/mailgun/package.json:

{
  "name": "mailgun",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}


Is this OK? (yes)

zac@smg-macmini:~/Projects/mailgun
> npm install mailgun-js

added 85 packages, and audited 86 packages in 2s

5 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

zac@smg-macmini:~/Projects/mailgun
> npm audit
# npm audit report

netmask  <2.0.1
Severity: high
netmask npm package vulnerable to octal input data - https://npmjs.com/advisories/1658
fix available via `npm audit fix --force`
Will install mailgun-js@0.6.7, which is a breaking change
node_modules/netmask
  pac-resolver  <=4.1.0
  Depends on vulnerable versions of netmask
  node_modules/pac-resolver
    pac-proxy-agent  <=3.0.1
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 3.1.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        mailgun-js  >=0.6.8
        Depends on vulnerable versions of proxy-agent
        node_modules/mailgun-js

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

zac@smg-macmini:~/Projects/mailgun
> npm audit fix

up to date, audited 86 packages in 942ms

# npm audit report

netmask  <2.0.1
Severity: high
netmask npm package vulnerable to octal input data - https://npmjs.com/advisories/1658
fix available via `npm audit fix --force`
Will install mailgun-js@0.6.7, which is a breaking change
node_modules/netmask
  pac-resolver  <=4.1.0
  Depends on vulnerable versions of netmask
  node_modules/pac-resolver
    pac-proxy-agent  <=3.0.1
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 3.1.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        mailgun-js  >=0.6.8
        Depends on vulnerable versions of proxy-agent
        node_modules/mailgun-js

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

zac@smg-macmini:~/Projects/mailgun
> npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating mailgun-js to 0.6.7,which is a SemVer major change.
npm WARN deprecated scmp@0.0.3: scmp v2 uses improved core crypto comparison since Node v6.6.0

added 3 packages, removed 76 packages, changed 7 packages, and audited 13 packages in 2s

# npm audit report

debug  <=2.6.8 || 3.0.0 - 3.0.1
Regular Expression Denial of Service - https://npmjs.com/advisories/534
fix available via `npm audit fix --force`
Will install mailgun-js@0.22.0, which is a breaking change
node_modules/debug
  mailgun-js  0.4.2 - 0.9.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of form-data
  node_modules/mailgun-js

mime  <=1.4.0 || 2.0.1 - 2.0.2
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/535
fix available via `npm audit fix --force`
Will install mailgun-js@0.22.0, which is a breaking change
node_modules/mime
  form-data  0.0.2 - 0.1.4
  Depends on vulnerable versions of mime
  node_modules/form-data
    mailgun-js  0.4.2 - 0.9.1
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of form-data
    node_modules/mailgun-js

4 vulnerabilities (1 low, 3 moderate)

To address all issues (including breaking changes), run:
  npm audit fix --force

[mercuriete]

Sorry for the noise.

I could reproduce what @zacharytyhacz did but I think we are talking to another repository:

mailgun/mailgun-js-boland#269

[olexandr-mazepa]

Hello @zacharytyhacz
The vulnerability that you mentioned is from the deprecated package "mailgun-js" but this repository is for the "mailgun.js" package.
I know that the repository name is confusing but this package doesn't have this issue.