Update qs module #186
Description
Re: https://blog.liftsecurity.io/2014/08/06/denial-of-service-in-qs
https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
https://nodesecurity.io/advisories/qs_dos_memory_exhaustion
The hapijs/qs module should be updated to the latest 1.x (I believe the current latest is qs@1.2.0 already).
Steps to reproduce:
-
Clone repo:
$ git clone git@github.com:danwrong/restler.git . Cloning into '.'... remote: Counting objects: 887, done. remote: Total 887 (delta 0), reused 0 (delta 0) Receiving objects: 100% (887/887), 388.74 KiB | 405.00 KiB/s, done. Resolving deltas: 100% (356/356), done. Checking connectivity... done.
-
Install modules:
$ npm i
-
Create npm-shrinkwrap file, including
devDependencies:$ npm shrinkwrap --dev wrote npm-shrinkwrap.json
-
Install the
nspmodule globally:$ sudo npm i nsp -g
-
Check the newly generated npm-shrinkwrap.json file against the nodesecurity.io database:
$ nsp audit-shrinkwrap Name Installed Patched Vulnerable Dependency qs 0.6.6 >= 1.x restler
And I was grabbing the latest versions of the modules in package.json using npm outdated:
$ npm outdated --depth 0 | sort
Package Current Wanted Latest Location
iconv-lite 0.2.11 0.2.11 0.4.4 iconv-lite
nodeunit 0.8.2 0.8.2 0.9.0 nodeunit
qs 0.6.6 0.6.6 1.2.0 qs
xml2js 0.4.0 0.4.0 0.4.4 xml2js