Comments (4)
quinnturner
commented on August 20, 2024
2
With all that being said, here are some of the alternatives that I found:
https://github.com/uhop/stream-json
https://github.com/creationix/jsonparse
https://github.com/dscape/clarinet
https://github.com/jgranstrom/zipson
https://github.com/Faleij/json-stream-stringify
In my opinion, stream-json seemed like the most reasonable alternative based on the criteria I set out. I have yet to identify the performance difference.
from audit-ci.
quinnturner
commented on August 20, 2024
1
Thanks for the report. I am well aware of the history of the dependency. Accordingly, I understand your sentiment and have been toiling with this for quite some time.
Ultimately, I am concerned about the current state of the application's security more than historical.
At this time, here's what I've gathered about the current state of the dependency. If I list anything inaccurate, please let me know.
- only npmjs.com themselves have write access to publishing new versions of the dependency
- we have pinned the version to exactly 4.0.1, the latest
- it has gone under more scrutiny than probably 99.999999% of dependencies on the registry in its current form
- security concerns such as prototype pollutions, code injections, directory traversals, or ReDoS have not been identified by the community
- The underlying requirements of the package are static; the definition of JSON changing is not a concern. Thus, the needs for this type of package are "stable".
- It is performant enough for the usage of this application.
With all that in mind, I'd argue that most alternative dependencies are less likely to be secure than jsonstream.
However, I would be willing to change the dependency if there are tangible benefits over the current version of jsonstream. These may include measurable performance improvements, bug fixes within the scope of audit-ci's usage, a larger test suite for coverage of security-focused issues (such as the types of issues I've identified above), a low number of reputable transitive dependencies by reputable authors, etc.
With the latest release of audit-ci, there are no known bugs related to the usage of jsonstream.
Changing dependencies brings a new set of risks. Updating for the sake of updating is not always what's best for security. It may be in this case, I'd like to be presented with tangible evidence though.
from audit-ci.
jeremywadsack
commented on August 20, 2024
Thanks for helping me understand this better. I thought I responded last week but don't see that here in the thread, so apologies for the late reply.
Agreed that the current state of the security is more important than historical. I highlighted the issue with event-stream because it appears to be the last known action on that repo.
I guess I don't have anything better to offer and you've given me something to consider.
from audit-ci.
Related Issues (20)
- Drop support for Node <12 HOT 1
- Long summary output for only one vulnerable advisory HOT 6
- Cannot convert undefined or null to object Exiting HOT 9
- Support allowlisting private packages by module HOT 7
- Recommend pinning to commit SHA or release tag HOT 3
- Add expiration time for allow list items HOT 1
- Allow notes for allowlist items HOT 2
- [Feature] Support Gitlab SAST report-type HOT 2
- Let the severity level influence the json output HOT 1
- Fail on unmatched ignores HOT 1
- Invalid JSON config file when using new allowlist NSPRecord syntax HOT 3
- Add support for registry flag for PNPM HOT 1
- Support Yarn's `--exclude` HOT 2
- Handle errors from Yarn Berry more gracefully HOT 2
- Tests should include all major Yarn versions HOT 2
- packages starting with "@" are not working in allowlist HOT 2
- The audit report format changed? HOT 2
- CI commands fail because no version 7 HOT 1
- Support Yarn v4 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-ci.