Dependency vulnerability in stringstream v0.0.5

[spencern]

Issue

Snyk has flagged stringstream v0.0.5 as a security vulnerability.

Affected versions of this package are vulnerable to Uninitialized Memory Exposure. An attacker could extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed to the stream (e.g. from JSON).

https://snyk.io/vuln/npm:stringstream:20180511

Remediation

Upgrade stringstream to version 0.0.6 or higher.

It appears that this vulnerability is pulled in via request v2.83.0. request v2.86.0 and higher do not include this dependency.

[Shwetajain148]

Hi @spencern, Currently, I'm busy with some ongoing issues but certainly, I'll pick this up once I get some time.

Thanks for reporting.

[Shwetajain148]

Hi @spencern, So I looked at this issue and could see that the request is already at v2.87.0 which doesn't include the stringstream dependency. Please see the screenshot below-

From the comment here, I checked on nodejs v4.x(see above screenshot) still there is no stringstream dependency.

To confirm more, I also verified with NSP for any vulnerability but there was not any. See another screenshot below-

Can you please check once again or share more information so that I can reproduce?

[spencern]

This vulnerability is no longer reported via snyk at this point either.
I think we can close. Thank you for checking into it.

[Shwetajain148]

Great @spencern.