npm audit is reporting an issue with prototype pollution

[Bluebie]

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node.extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.1.7 <2.0.0 || >= 2.0.1                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rmdir-promise                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ rmdir-promise > rmdir > node.flow > node.extend              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/781                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 176 scanned packages
  1 vulnerability requires manual review. See the full report for details.

[dzek69]

Thank you for your report.

This is an effect of bad side of npm ecosystem. The issue isn't with rmdir-promise itself, but with rmdir that rmdir-promise is relying on. The author of rmdir stopped maintenancing it however (see this issue from February 2019: dreamerslab/node.rmdir#17) so I am unable to do anything, but for the dependency and fix it by myself.

However - having own fork of everything ruins the idea of code re-use plus is a impossible job to do.

So currently I'll just ignore the issue, until the dependency is fixed.

Please note that it may be moderate vuln in that package, but this doesn't mean that the code that uses it do that in a way that may actually do any harm. As an example: if a library for adding two numbers crashes your PC when you're adding 1 and 2, but you are using your library to always add numbers over 100 - you won't ever be affected. Prototype pollution by extending in this case should be the same. lodash, one of most popular JS libraries had this for years. Personally I even think that this particular issue isn't an bug in the code - just using it incorrectly, without thinking, may result in actual vulnerability.

But I did not verify the actual usage of the library we're talking about.

If you are feeling unsafe and/or need your audit clear - try fs-extra. It containts Promise-based rmdir .

Thanks again and sorry if my reply isn't something you expected to hear from me.