Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

Investigate NSP 663 and 664 #4470

Closed
chenba opened this issue May 17, 2018 · 2 comments
Closed

Investigate NSP 663 and 664 #4470

chenba opened this issue May 17, 2018 · 2 comments

Comments

@chenba
Copy link
Collaborator

chenba commented May 17, 2018

Builds on master started failing on 2018-05-16 (starting with https://circleci.com/gh/mozilla-services/screenshots/6792). The failures are from nsp; see output below. We should investigate to see if we can ignore those advisories in .nsprc.

> nsp check -o summary

(+) 2 vulnerabilities found
 Name           Installed   Patched   Path                                                                                              More Info                              
 open           0.0.5       None      firefox-screenshots@32.1.0 > jpm@1.3.1 > open@0.0.5                                               https://nodesecurity.io/advisories/663 
 stringstream   0.0.5       None      firefox-screenshots@32.1.0 > jpm@1.3.1 > sign-addon@0.2.0 > request@2.75.0 > stringstream@0.0.5   https://nodesecurity.io/advisories/664
@jaredhirsch
Copy link
Member

The bugs are in jpm, which appears to only be used in the ./bin/run-addon local development script. I think we're fine to ignore those.

jaredhirsch added a commit that referenced this issue May 17, 2018
@jaredhirsch
Fix #4470, Ignore nsp advisories 663 and 664 related to jpm
eb716e1
jaredhirsch added a commit that referenced this issue May 17, 2018
@jaredhirsch
Fix #4470, Ignore nsp advisories 663 and 664 related to jpm
98a4a81
@pdehaan
Copy link
Contributor

pdehaan commented May 17, 2018

Submitted upstream issue to [deprecated] jpm and there is an open PR in sign-addon which may handle the stringstream issue (maybe).

@chenba chenba closed this as completed in 08f7a96 May 18, 2018
chenba added a commit that referenced this issue May 18, 2018
@chenba
Merge pull request #4471 from mozilla-services/4470-nsp
49603f7 
Fix #4470, Ignore nsp advisories 663 and 664 related to jpm
testeaxeax pushed a commit to testeaxeax/screenshots that referenced this issue Jun 7, 2018
@jaredhirsch
Fix mozilla-services#4470, Ignore nsp advisories 663 and 664 related …
d2be5c9 
…to jpm
testeaxeax pushed a commit to testeaxeax/screenshots that referenced this issue Jun 7, 2018
Revert "Fix mozilla-services#4470, Ignore nsp advisories 663 and 664 …
0ca7022 
…related to jpm"

This reverts commit d2be5c9.
chenba pushed a commit to chenba/screenshots that referenced this issue Jun 28, 2018
@jaredhirsch @chenba
Fix mozilla-services#4470, Ignore nsp advisories 663 and 664 related …
f49ecfd 
…to jpm
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jaredhirsch @chenba @pdehaan