Skip to content
This repository has been archived by the owner on Mar 25, 2021. It is now read-only.

Fix CVE-2020-7598 #4917

Closed
WPMGPRoSToTeMa opened this issue Mar 16, 2020 · 14 comments · Fixed by #4918
Closed

Fix CVE-2020-7598 #4917

WPMGPRoSToTeMa opened this issue Mar 16, 2020 · 14 comments · Fixed by #4918
Labels
security Status: Accepting PRs

Comments

@WPMGPRoSToTeMa
Copy link

TSLint is also affected just like ESLint (eslint/eslint#13050).
@JoshuaKGoldberg
Copy link
Contributor

Quick reference: GHSA-7fhm-mqm4-2wp7

TSLint is also affected

Is it? There aren't any security vulnerabilities posted to TSLint right now. https://github.com/palantir/tslint/security/advisories

If there are, accepting PRs to fix for them. Until then, I don't believe there's any action that needs to be taken? (we don't depend on acorn, for example)

@WPMGPRoSToTeMa WPMGPRoSToTeMa mentioned this issue Mar 16, 2020
Closed
@WPMGPRoSToTeMa
Copy link
Author

WPMGPRoSToTeMa commented Mar 16, 2020
edited

@JoshuaKGoldberg that is weird. TSLint has minimist dependency which is affected by the vulnerability.

@JoshuaKGoldberg
Copy link
Contributor

It's possible that only devDependency versions are affected. Or, GitHub is still processing the alert, and we haven't gotten it yet 😄

@praneetloke
Copy link

praneetloke commented Mar 16, 2020
edited

It looks like tslint depends on mkdirp, which has minimist as a direct dependency. Someone opened a PR to upgrade the minimist version here: isaacs/node-mkdirp#8.

EDIT: It actually looks like the latest version (1.0.0+) of mkdirp no longer has a direct dependency on minimist. It was removed in this commit. tslint uses mkdirp@0.5.1, which does have a very old version of minimist.

@hansnull
Copy link

FYI:

                       === npm audit security report ===                        
                                                                                                                                         
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  Moderate        Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=1.2.3                                                       
                                                                                
  Dependency of   tslint [dev]                                                  
                                                                                
  Path            tslint > mkdirp > minimist                                    
                                                                                
  More info       https://npmjs.com/advisories/1179

@JoshuaKGoldberg
Copy link
Contributor

JoshuaKGoldberg commented Mar 18, 2020
edited

Excellent, thanks for the additional info folks! Accepting PRs to bump to a version of minimist mkdirp that doesn't have the dependency on (an old version of) minimist.

@Eyas
Copy link
Contributor

Eyas commented Mar 18, 2020

Note that mkdirp 1.0.0 requires node >= 10 but tslint still claims to support node >= 4.8.0

The right solution is probably to update mkdirp to 0.5.3 first and make a minor version bump.

You might consider a major version cump to update to mkdirp 1.x, but you'd need to move engine to node >= 10 (which is probably reasonable).

@JoshuaKGoldberg
Copy link
Contributor

tslint still claims to support node >= 4.8.0

That is... quite far back, and probably no longer true in practice 😬. Amusing.

Per https://www.npmjs.com/package/mkdirp#platform-support:

This module works on node v8, but only v10 and above are officially supported, as Node v8 reached its LTS end of life 2020-01-01, which is in the past, as of this writing.

We can take a dependency on the unofficial v8 support decision, for those same reasons.

@Eyas Eyas mentioned this issue Mar 18, 2020
Merged
4 tasks
@Eyas
Copy link
Contributor

Eyas commented Mar 18, 2020

I just opened a PR before seeing this. I can switch to 1.x and increase node version if you think that's preferable.

@JoshuaKGoldberg
Copy link
Contributor

0.5.3 works too! So long as minimist is updated.

@WPMGPRoSToTeMa
Copy link
Author

@adidahiya are you going to release a new version with the fix for this?

@dscalzi
Copy link

dscalzi commented Apr 2, 2020

If you delete your lockfile and minimist + mkdirp in node_modules it will automatically fix this.

@adidahiya
Copy link
Contributor

just released 6.1.1

@JoshuaKGoldberg JoshuaKGoldberg mentioned this issue Apr 3, 2020
Closed
@JoshuaKGoldberg
Copy link
Contributor

🤖 Beep boop! 👉 TSLint is deprecated 👈 and you should switch to typescript-eslint! 🤖

🔒 This issue is being locked to prevent further unnecessary discussions. Thank you! 👋

@palantir palantir locked and limited conversation to collaborators Sep 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
security Status: Accepting PRs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump mkdirp dependency to 0.5.3 Eyas/tslint
7 participants
@Eyas @adidahiya @praneetloke @JoshuaKGoldberg @WPMGPRoSToTeMa @dscalzi @hansnull