Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical security vulnerability in new buidler projects #535

Closed
pemulis opened this issue Apr 29, 2020 · 2 comments
Closed

Critical security vulnerability in new buidler projects #535

pemulis opened this issue Apr 29, 2020 · 2 comments

Comments

@pemulis
Copy link

pemulis commented Apr 29, 2020
edited

Discovered this during the Hack Money hackathon.

image

builder uses mocha@5.2.0 which uses mkdirp@0.5.1 which uses minimist@0.0.8. When I uploaded my newly buidler'd repo to GitHub, I received this complaint about a critical security vulnerability.

image

Details here: GHSA-vh95-rmgr-6w4m

Perhaps this could be fixed by updating to mocha@7.1.2, which updates mkdirp to v.0.5.5?

Looks like mkdirp is getting the boot from mocha@8.0.0 (they discuss the vulnerability here): mochajs/mocha#4199
@alcuadrado
Copy link
Member

Hey @pemulis!

Thanks for reporting this, and for the details about it.

I believe we aren't exposed to this vulnerability, but npm has no way to realize this, and it warns everyone anyway, so we'll fix it asap.

We'll keep this issue updated.

@fvictorio
Copy link
Member

I'm gonna guess this is not relevant anymore. Please re-open if it is.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alcuadrado @fvictorio @pemulis