Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two vulnerabilities are introduced in the package #628

Open
paimon0715 opened this issue Jul 7, 2021 · 3 comments
Open

Two vulnerabilities are introduced in the package #628

paimon0715 opened this issue Jul 7, 2021 · 3 comments

Comments

@paimon0715
Copy link

paimon0715 commented Jul 7, 2021
edited

Hi @admc ,I’d like to report two vulnerabilities

Issue

There are two vulnerabilities (1 high and 1 low severity) introduced in wd.The details are as follows:
In wd@0.3.*:Vulnerability npmjs-advisories-1464 (high severity) is detected in package cryptiles(versions:>=0.0.1 <4.1.2):https://www.npmjs.com/advisories/1464
In wd@0.2.*: One is vulnerability npmjs-advisories-1464,the other is vulnerability CVE-2017-16137 (low severity),which is detected in package debug(versions:>=1.0.0 <2.6.9,>=3.0.0 <3.1.0):https://snyk.io/vuln/npm:debug:20170905
The above vulnerable packages are referenced by wd via:
1.wd@0.3.12 ➔ request@2.55.0 ➔ hawk@2.3.1 ➔ cryptiles@2.0.5
2.wd@0.2.27 ➔ request@2.36.0 ➔ hawk@1.0.0 ➔ cryptiles@0.2.2
wd@0.2.27 ➔ archiver@0.10.1 ➔ zip-stream@0.3.7 ➔ debug@1.0.5

Solution

Since wd@0.3.* is transitively referenced by 83 downstream projects (e.g., gulp-metal 2.2.3 (latest version),duo 0.15.7 (latest version), duo-test 0.4.1 (latest version), grunt-mocha-webdriver 1.2.2 (latest version), skatejs-build 12.2.0(latest version)),

wd@0.2.* is referenced by 47 downstream projects (e.g., yiewd 0.6.0 (latest version), yeti 0.2.29 (latest version), yogi 0.1.13 (latest version), wd-sync 1.2.5 (latest version), awesome 0.0.7 (latest version)),

If wd removes the vulnerable package from the above versions, then its fixed versions can help downstream users decrease their pain.It’s kind of you to update packages in these versions.

Fixing suggestions

(1)In wd@0.3.*, you can kindly try to perform the following upgrade (not crossing its major versions):
request ~2.55.0 ➔ 2.84.0;

Note:
request 2.84.0 transitively depends on cryptiles@4.1.3(a vulnerability npmjs-advisories-1464 patched version)

(2)In wd@0.2.*, you can kindly try to perform the following upgrades (not crossing their major versions):

  1. request ~2.36.0 ➔ 2.84.0;

Note:
request 2.84.0 transitively depends on cryptiles@4.1.3(a vulnerability npmjs-advisories-1464 patched version)

  1. archiver ~0.10.0 ➔ ~0.6.1;

Note:
archiver@0.6.1,(>=0.6.1 <0.8.0) transitively depends on debug@0.7.4(a version without vulnerability CVE-2017-16137)

Thank you for your attention to this issue!

Sincerely yours,
Paimon
@paimon0715
Copy link
Author

paimon0715 commented Jul 8, 2021
edited

Many active downstream users transitively use the lower versions of wd (@0.3.* and @0.2.* ) (introduced vulnerablities) via unmaintained packages (cannot update their dependencies).If wd@0.3.* ,@0.2.* can fix the issues, the vulnerable patches can be automatically propagated into the active downstream projects.

@jlipps
Copy link
Collaborator

jlipps commented Jul 12, 2021

Hi @paimon0715 unfortunately this project isn't maintained. If you want to make the appropriate vuln fixes and submit as a PR, I'm happy to merge and publish a new version.

@timstallmann
Copy link

Opened #641 to address this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jlipps @timstallmann @paimon0715