requirejs vulnerable to prototype pollution

[MikeMastro13]

I came across a Prototype Pollution issue in Artillery 2.0.17 the other day through Dependabot. I wanted to see if anyone else's repositories had been flagged for the same issue. From what I can tell, the problematic package is dependency-tree, which relies on RequireJS. The vulnerability arises via the following dependency chain: dependency-tree -> filing-cabinet -> module-lookup-amd -> requirejs. There's also a report on Snyk, which you can find here, detailing the issue found in RequireJS. Fortunately, dependency-tree is only used in one file in Artillery, bom.js, as shown in the code snippet below:

const tree = depTree.toList({
      filename: procPath,
      directory: path.dirname(context.opts.absoluteScriptPath),
      filter: (path) => path.indexOf('node_modules') === -1 // optional
    });

Is there any possibility of swapping this out and removing the dependency?

[bernardobridge]

Hey @MikeMastro13 👋 , thanks for reporting this!

Unfortunately there doesn't seem to be a fix out for this in dependency-tree, and that code in the bom module is fairly core to our distributed tests, so it's not something we can immediately take out.

We will try to do some security updates for the release after next (in 2 weeks), and I'll try to see if dependency-tree are planning on fixing this by then.

[osmithelias188]

We also need this vulnerability fixed and we also opened an issue with filing cabinet(A dependency of dependency-tree). dependents/node-filing-cabinet#135