Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability warning due to make-dir version #685

Closed
AkiraMiyakoda opened this issue Jun 26, 2023 · 7 comments
Closed

Vulnerability warning due to make-dir version #685

AkiraMiyakoda opened this issue Jun 26, 2023 · 7 comments

Comments

@AkiraMiyakoda
Copy link

AkiraMiyakoda commented Jun 26, 2023
edited
Loading

Hi developers,

Currently, this package receives a vulnerability warning concerning CVE-2022-25883 reported a few days ago.
This package depends on make-dir which has been updated in order to fix that warning. So I think that node-pre-gyp should be updated to depend on the new version of make-dir.

Here is what I received:

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install argon2@0.27.1, which is a breaking change
node_modules/make-dir/node_modules/semver
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/make-dir
    @mapbox/node-pre-gyp  >=1.0.1
    Depends on vulnerable versions of make-dir
    node_modules/@mapbox/node-pre-gyp
      argon2  >=0.27.2
      Depends on vulnerable versions of @mapbox/node-pre-gyp
      node_modules/argon2

4 moderate severity vulnerabilities
@striezel
Copy link
Contributor

It looks like the package is a bit slow to update its dependencies, so maybe semi-automated dependency updates via Dependabot or a similar mechanism can help here. That's why I opened a PR that adds a Dependabot configuration (#688).

@AkiraMiyakoda AkiraMiyakoda mentioned this issue Jun 30, 2023
Closed
3 tasks
@ranisalt
Copy link

@striezel very slow. Last version was in September, seems completely abandoned ever since (issues/PRs get no response). I'm looking to remove it from node-argon2

@striezel
Copy link
Contributor

seems completely abandoned ever since (issues/PRs get no response).

That is sad. :(
If the repository is abandoned, then moving away from it seems to be the right action. However, I'm hoping that somebody @mapbox will pick this up and get the issues fixed and PRs merged and publish a new version to NPM, because not everyone might be able to completely remove @mapbox/node-pre-gyp from package dependencies.

@SphinxKnight SphinxKnight mentioned this issue Jul 5, 2023
Closed
@prashant93
Copy link

Team any update on semver vulnerablility fix : CVE-2022-25883

@axrj
Copy link
Contributor

axrj commented Jul 10, 2023

Hey all, apologies for the delays. Will get this patched soon.

@sagar-sonawane-ma
Copy link

@axrj can you please share the issue ID link for the fix, where we can trace the same for the feature release.

@rafaykh90 rafaykh90 mentioned this issue Jul 14, 2023
Merged
@axrj
Copy link
Contributor

axrj commented Jul 14, 2023

@axrj axrj closed this as completed Jul 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ranisalt @prashant93 @axrj @striezel @AkiraMiyakoda @sagar-sonawane-ma