Vulnerabilities

DepShield reports that this application's usage of lodash:3.10.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash:3.10.1 is a transitive dependency introduced by the following direct dependency(s):

• jscs:3.0.7
        └─ jscs-jsdoc:2.0.0
              └─ jsdoctypeparser:1.2.0
                    └─ lodash:3.10.1
        └─ lodash:3.10.1
        └─ xmlbuilder:3.1.0
              └─ lodash:3.10.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of maven build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

the auto-update config in bootstrap-datepicker:

  "autoupdate": {
    "source": "git",
    "target": "git://github.com/eternicode/bootstrap-datepicker.git",
    "basePath": "",
    "files": [
      "css/*",
      "js/*/*",
      "js/*"
    ]
  }

origin files under bootstrap-datepicker:
1.0.0/ 1.0.2/ 1.1.3/ 1.2.0/ 1.3.0/ package.json

git auto-update log:

Starting Auto Update
-----------------------


bootstrap-datepicker
Clone git://github.com/eternicode/bootstrap-datepicker.git
Need 1.0.2-rc.2,1.1.0,1.1.1,1.1.2,1.2.0-rc.1,1.3.0-rc.1,1.3.0-rc.2,1.3.0-rc.3,1.3.0-rc.4,1.3.0-rc.5,1.3.0-rc.6,1.3.1,v1.0.1
All files for this version 41
41 true
Updated package.json to version 1.0.2-rc.1

after update:
1.0.0/ 1.0.2/ 1.0.2-rc.1/ 1.1.3/ 1.2.0/ 1.3.0/ package.json

It only updated one version ...

Re-run auto-update for more than 10 times, and get the same result (1 version/time).

Vulnerabilities

DepShield reports that this application's usage of tar:2.2.1 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2018-20834] Improper Link Resolution Before File Access ("Link Following")
• (CVSS 7.5) CWE-62: UNIX Hard Link

Occurrences

tar:2.2.1 is a transitive dependency introduced by the following direct dependency(s):

• tarball-extract:0.0.6
        └─ tar:2.2.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Since the first release, the path should use multi-level */*/* and set a new pattern for each level as below, ** was not accepted, really make the config ugly and the maintenance work complex.

The auto-update config of semantic-ui :

  "autoupdate": {
    "source": "git",
    "target": "git://github.com/Semantic-Org/Semantic-UI",
    "basePath": "dist",
    "files": [
      "*/*/*/*/*",
      "*/*/*/*",
      "*/*/*",
      "*/*",
      "*"
    ]

Should be

  "autoupdate": {
    "source": "git",
    "target": "git://github.com/Semantic-Org/Semantic-UI",
    "basePath": "dist",
    "files": [
      "**/*",
    ]

Currently, I make a fake directory to prevent the updater keep want to add that version, see:

• 91e6327
• cdnjs/cdnjs@238871b

A better method should be put them in a list, and ignore the lib/ver from the list, and also we can manually checkout the list to see how can we add the versions can not be added by updater, maybe just the filemap changed, sometimes we may need to use an old filemap to add the old versions!

Vulnerabilities

DepShield reports that this application's usage of stringstream:0.0.5 results in the following vulnerability(s):

• (CVSS 5.2) CWE-125: Out-of-bounds Read

Occurrences

stringstream:0.0.5 is a transitive dependency introduced by the following direct dependency(s):

• nodegit:0.20.3
        └─ node-gyp:3.6.2
              └─ request:2.85.0
                    └─ stringstream:0.0.5
        └─ node-pre-gyp:0.6.39
              └─ request:2.81.0
                    └─ stringstream:0.0.5

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Currently, all the unstable version will be ignored, but we have something like ng-cordova, which has no stable version in cdnjs, or jquery, some super famous libs, we will use non-production version in its package.json, for these cases, even though auto-updater grabbed a unstable version, it should still update the version in package.json.

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Just leave it in a stable release.

I noticed that [email protected] is not yet available on cdnjs. If I understand correctly, it is not using autoupdater (https://github.com/cdnjs/cdnjs/blob/master/ajax/libs/angular.js/package.json) for now.

Unfortunately, the dist files are not directly available in the repo (https://github.com/angular/angular.js) and AFAIK autoupdate does only git clone and fs copy the files.

Do you think there is room to run a configurable build command in between 🙏 We could use https://www.npmjs.com/package/npm-run for example to run grunt package in the case of angular.js.

I can work on a PR it makes sense 👍

Currently, we clone every repo and check the tags(versions), it just uses too much resource and not efficient. Should add a local cache/repo mechanism to prevent that, and maybe should also add a new method call GitHub rather than git, to use GitHub api for the tags/versions, and just download the tarball of the needed versions.

Vulnerabilities

DepShield reports that this application's usage of js-yaml:3.4.6 results in the following vulnerability(s):

• (CVSS 8.8) CWE-94: Improper Control of Generation of Code ('Code Injection')
• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

js-yaml:3.4.6 is a transitive dependency introduced by the following direct dependency(s):

• jscs:3.0.7
        └─ js-yaml:3.4.6

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of deep-extend:0.4.2 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2018-3750] Improper Input Validation
• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

deep-extend:0.4.2 is a transitive dependency introduced by the following direct dependency(s):

• echint:4.0.1
        └─ lintspaces:0.5.1
              └─ rc:1.1.6
                    └─ deep-extend:0.4.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Integrate npm auto-update in, and drop the old one in cdnjs/cdnjs:
https://github.com/cdnjs/cdnjs/blob/master/auto-update.js

So the old config:

  "npmName": "jquery",
  "npmFileMap": [
    {
      "basePath": "dist",
      "files": [
        "**/*"
      ]
    }
  ],

should be :

  "autoupdate": {
    "source": "npm",
    "target": "jquery",
    "fileMap": [
      {
        "basePath": "dist",
        "files": [
          "**/*"
        ]
      }
    ]
  }

Note that the package.jsons, corresponding document and test should also be updated.

Vulnerabilities

DepShield reports that this application's usage of cryptiles:3.1.2 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2018-1000620] Insufficient Entropy
• (CVSS 5.9) CWE-330: Use of Insufficiently Random Values

Occurrences

cryptiles:3.1.2 is a transitive dependency introduced by the following direct dependency(s):

• nodegit:0.20.3
        └─ node-gyp:3.6.2
              └─ request:2.85.0
                    └─ hawk:6.0.2
                          └─ cryptiles:3.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The current general purpose git auto-updater can fetch every file inside tagged commit of any public git repository but it can't handle the manually upload assets on GitHub release page, so let's add a GitHub auto-updater for those libraries publish assets on the release page on GitHub, we can use GitHub api for the tags/versions check, and just download the files of the needed versions.

1. The version field in package.json should be the largest stable version number, sometimes, the libs may have multiple release lines, like jquery, have both v1.x and v2.x versions, and I think we should not use a smaller number to replace the larger one even the smaller one was released much recently, or the users may misunderstand that we have the versions with larger versions.
2. Once a lib been added, we usually add the newest version only, and the updater will grab the old versions, in this situation, of course we should not use the old version number to replace the new one.

The current local repo cache method won't check if the target changed which may caused problem when it's changed.

cc cd53290 #17 #19

Coding style needs to be fixed and tested on CI 😄

To prevent the file types like scss, ts been grabbed into the repo.
Whitelist may be easier in this case.

In #5287, we use symbolic link to handle the duplicated lib to be the same, but in auto-update process, there will be conflicts because more then one lib use the same repo, the workaround method will be add a unix timestamp + random number/string in the clone path to prevent conflicts repo name, the solution to handle this issue may be to ignore scanning symbolic-linked folder.

So the process will be fast, if on Linux, can easily test if /run/shm exist and enough, maybe 200MB as max, I can check the current disk space that current libs with git auto-update using.

Vulnerabilities

DepShield reports that this application's usage of hoek:2.16.3 results in the following vulnerability(s):

• (CVSS 6.5) [CVE-2018-3728] Improper Access Control

Occurrences

hoek:2.16.3 is a transitive dependency introduced by the following direct dependency(s):

• nodegit:0.20.3
        └─ node-pre-gyp:0.6.39
              └─ hawk:3.1.3
                    └─ boom:2.10.1
                          └─ hoek:2.16.3
                    └─ hoek:2.16.3
                    └─ sntp:1.0.9
                          └─ hoek:2.16.3

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of cryptiles:2.0.5 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2018-1000620] Insufficient Entropy

Occurrences

cryptiles:2.0.5 is a transitive dependency introduced by the following direct dependency(s):

• nodegit:0.20.3
        └─ node-pre-gyp:0.6.39
              └─ hawk:3.1.3
                    └─ cryptiles:2.0.5

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Will miss semantic.css semantic.js semantic.min.css semantic.min.js in semantic-ui in v1.3.0~1.3.2 ...

The auto-update config of semantic-ui :

  "autoupdate": {
    "source": "git",
    "target": "git://github.com/Semantic-Org/Semantic-UI",
    "basePath": "dist",
    "files": [
      "*/*/*/*/*",
      "*/*/*/*",
      "*/*/*",
      "*/*",
      "*"
    ]

To speed up the auto-update process when we only want to update a certain lib.

It'll be nice to support update lib from bower.

It takes long time to clone the whole repo again and again, also waste too much network bandwidth.
Should support local cache mechanism. Or, do fetch in the already cloned repo instead of clone a new one.

Currently, the autoupdate field in package.json only support single base path with single file list like this:

  "autoupdate": {
     "source": "git",
     "target": "git://github.com/cdnjs/cdnjs.git",
     "basePath": "",
     "files": [
       "*.json"
     ]
  }

We did support multi-filemap in npm auto-update like this (take waterfall.js as example):

  "npmName": "waterfall.js",
  "npmFileMap": [
    {
      "basePath": "",
      "files": [
        "waterfall*"
      ]
    },
    {
      "basePath": "src",
      "files": [
        "waterfall*"
      ]
    }
  ]

We should also support the same feature in autoupdate field though it is used for git auto-update only, once multi-filemap support added, we can migrate npmName and npmFileMap to autoupdate format.

The multi-filemap should looks like this in package.json once it's implemented:

  "autoupdate": {
    "source": "git",
    "target": "git://github.com/cdnjs/cdnjs.git",
    "fileMap": [
      {
        "basePath": "",
        "files": [
          "*.json"
        ]
      },
      {
         "basePath": "",
         "files": [
           "*.js"
        ]
      }
    ]
  }

PS: the corresponding issue in main repo is cdnjs/cdnjs#9155

The test cases for package.json and example should also be updated at the same time.

40543a5#diff-3637b3b4f350bbde9ce0b427ff895615
Because there are many libs didn't use semver's conventions, using semver to compare the versions is not reliable and even crash the update process when got a non-semver style version, should remove it and find a replacement.