Security vulnerability introduced through picture-tube

[lirantal]

Hi @yaronn,

The picture-tube package introduces a security vulnerability issue by its own dependency of an old request library version.

It seems that picture-tube is quite old and un-maintained so maybe it will require to replace it with another npm package. Any chance you're up for it? Thanks!

You can dig more info at snyk's website: https://snyk.io/test/github/yaronn/blessed-contrib

cc @adrukh @grnd

[yaronn]

nice catch :) don't think picture tube is used too often with blessed contrib but will leave this open to when I or someone else have more time to figure out an alternative. Thanks!

[lirantal]

Ok, thanks. Hopefully soon :)
And thank you so much for the wonderful blessed-contrib project! ❤️

[binarymist]

picture-code has very few LoC, about 60. Possible options:

• Fork->tweek->update deps
• Copy->Past the 60 LoC into this project

Thanks.

[lirantal]

Let's see if we can come up with an alternative library.
It seems that the request lib in picture-tube is also irrelevant

[techieshark]

Note that there is an existing (albeit unmerged) PR on picture-tube to update the version of request it uses, which would fix this issue.

https://github.com/substack/picture-tube/pull/12

[lirantal]

👍
Tried to ping another committer on the project

[Chaz6]

I came here because npm audit reports this:-

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Remote Memory Exposure                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ request                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.68.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ picture-tube                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ picture-tube > request                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/309                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 141 scanned packages
  1 vulnerability requires manual review. See the full report for details.