CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz #1081

mend-for-github-com · 2022-01-04T00:36:52Z

CVE-2021-3803 - High Severity Vulnerability

Vulnerable Library - nth-check-1.0.2.tgz

performant nth-check parser & compiler

Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz

Dependency Hierarchy:

cheerio-0.22.0.tgz (Root Library)
- css-select-1.2.0.tgz
  - ❌ nth-check-1.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 4fd064970b66ce555f48c22dfab6ed965d0e260a

Found in base branch: main

Vulnerability Details

nth-check is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3803

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: fb55/nth-check@v2.0.0...v2.0.1

Release Date: 2021-09-17

Fix Resolution (nth-check): 2.0.1

Direct dependency fix Resolution (cheerio): 1.0.0-rc.5

The text was updated successfully, but these errors were encountered:

tmarkley · 2022-01-06T16:45:43Z

$ npm ls nth-check
opensearch-dashboards@2.0.0 /home/ubuntu/ws/OpenSearch-Dashboards
├─┬ cheerio@0.22.0
│ └─┬ css-select@1.2.0
│   └── nth-check@1.0.2
└─┬ svgo@1.3.2 extraneous
  └─┬ css-select@2.0.2 extraneous
    └── nth-check@1.0.2 deduped

$ yarn why nth-check
yarn why v1.22.17
[1/4] Why do we have the module "nth-check"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.4.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "nth-check@1.0.2"
info Reasons this module exists
   - "_project_#css-select" depends on it
   - Hoisted from "_project_#css-select#nth-check"
   - Hoisted from "_project_#@osd#storybook#@storybook#react#@svgr#webpack#@svgr#plugin-svgo#svgo#css-select#nth-check"
info Disk size without dependencies: "24KB"
info Disk size with unique dependencies: "36KB"
info Disk size with transitive dependencies: "36KB"
info Number of shared dependencies: 1
Done in 1.85s.

tmarkley · 2022-01-06T16:49:28Z

The @storybook/react changes in #1104 remove this dependency, so we'll want to wait for that to be merged first before addressing the css-select dependency.

* Addressing the `nth-check` CVE required bumping `css-select`, which is a dependency of `cheerio`. Bumping `cheerio` requires upgrading from TypeScript 4.0 to 4.1. * TypeScript 4.1 introduces a set of [breaking changes](https://devblogs.microsoft.com/typescript/announcing-typescript-4-1/#breaking-changes). The main changes that impact Dashboards is that `resolve`'s parameters are no longer optional in `Promise`s, and that potentially undefined indexes must use the `!` non-null assertion operator. * The upgrades to TypeScript and `cheerio` triggered some jest errors which prompted the upgrade to the `enzyme` dependencies. * Merges files under /src/test_utils and /src/dev/jest into the @osd/test package to simplify. Resolves opensearch-project#1081 Signed-off-by: Tommy Markley <markleyt@amazon.com>

* Addressing the `nth-check` CVE required bumping `css-select`, which is a dependency of `cheerio`. Bumping `cheerio` requires upgrading from TypeScript 4.0 to 4.1. * TypeScript 4.1 introduces a set of [breaking changes](https://devblogs.microsoft.com/typescript/announcing-typescript-4-1/#breaking-changes). The main changes that impact Dashboards is that `resolve`'s parameters are no longer optional in `Promise`s, and that potentially undefined indexes must use the `!` non-null assertion operator. * The upgrades to TypeScript and `cheerio` triggered some jest errors which prompted the upgrade to the `enzyme` dependencies. * Merges files under `/src/test_utils` and `/src/dev/jest` into the `@osd/test` package to simplify. Resolves opensearch-project#1081 Signed-off-by: Tommy Markley <markleyt@amazon.com>

* Addressing the `nth-check` CVE required bumping `css-select`, which is a dependency of `cheerio`. Bumping `cheerio` requires upgrading from TypeScript 4.0 to 4.1. * TypeScript 4.1 introduces a set of [breaking changes](https://devblogs.microsoft.com/typescript/announcing-typescript-4-1/#breaking-changes). The main changes that impact Dashboards is that `resolve`'s parameters are no longer optional in `Promise`s, and that potentially undefined indexes must use the `!` non-null assertion operator. * The upgrades to TypeScript and `cheerio` triggered some jest errors which prompted the upgrade to the `enzyme` dependencies. * Merges files under `/src/test_utils` and `/src/dev/jest` into the `@osd/test` package to simplify. * Fixes the naming of the `@osd/eslint-config-opensearch-dashboards` package. Resolves opensearch-project#1081 Signed-off-by: Tommy Markley <markleyt@amazon.com>

* Addressing the `nth-check` CVE required bumping `css-select`, which is a dependency of `cheerio`. Bumping `cheerio` requires upgrading from TypeScript 4.0 to 4.1. * TypeScript 4.1 introduces a set of [breaking changes](https://devblogs.microsoft.com/typescript/announcing-typescript-4-1/#breaking-changes). The main changes that impact Dashboards is that `resolve`'s parameters are no longer optional in `Promise`s, and that potentially undefined indexes must use the `!` non-null assertion operator. * The upgrades to TypeScript and `cheerio` triggered some jest errors which prompted the upgrade to the `enzyme` dependencies. * Merges files under `/src/test_utils` and `/src/dev/jest` into the `@osd/test` package to simplify. * Fixes the naming of the `@osd/eslint-config-opensearch-dashboards` package. * Fixes inconsistent plugin installation tests. Resolves opensearch-project#1081 Signed-off-by: Tommy Markley <markleyt@amazon.com>

* Addressing the `nth-check` CVE required bumping `css-select`, which is a dependency of `cheerio`. Bumping `cheerio` requires upgrading from TypeScript 4.0 to 4.1. * TypeScript 4.1 introduces a set of [breaking changes](https://devblogs.microsoft.com/typescript/announcing-typescript-4-1/#breaking-changes). The main changes that impact Dashboards is that `resolve`'s parameters are no longer optional in `Promise`s, and that potentially undefined indexes must use the `!` non-null assertion operator. * The upgrades to TypeScript and `cheerio` triggered some jest errors which prompted the upgrade to the `enzyme` dependencies. * Merges files under `/src/test_utils` and `/src/dev/jest` into the `@osd/test` package to simplify. * Fixes the naming of the `@osd/eslint-config-opensearch-dashboards` package. * Fixes inconsistent plugin installation tests. Resolves opensearch-project#1081 Signed-off-by: Tommy Markley <markleyt@amazon.com> Signed-off-by: Miki <miki@amazon.com>

`nth-check` is a dependency of `cheerio > css-select`. Even though our dependency on `cheerio@0.22.0` pulls in `nth-check@~1.0.1`, its signature hasn't changed in `nth-check@2.0.1` and a resolution to bump works. Resolves opensearch-project#1081 Signed-off-by: Miki <miki@amazon.com>

`nth-check` is a dependency of `cheerio > css-select`. Even though our dependency on `cheerio@0.22.0` pulls in `nth-check@~1.0.1`, its signature hasn't changed in `nth-check@2.0.1` and a resolution to bump works. Resolves #1081 Signed-off-by: Miki <miki@amazon.com>

* Addressing the `nth-check` CVE requires bumping `css-select`, which is a dependency of `cheerio`. Bumping `cheerio` requires upgrading from TypeScript 4.0 to 4.1. * TypeScript 4.1 introduces a set of [breaking changes](https://devblogs.microsoft.com/typescript/announcing-typescript-4-1/#breaking-changes). The main changes that impact Dashboards is that `resolve`'s parameters are no longer optional in `Promise`s, and that potentially undefined indexes must use the `!` non-null assertion operator. * The upgrades to TypeScript and `cheerio` triggered some jest errors which prompted the upgrade to the `enzyme` dependencies. * Merges files under `/src/test_utils` and `/src/dev/jest` into the `@osd/test` package to simplify. * Fixes the naming of the `@osd/eslint-config-opensearch-dashboards` package. * Fixes inconsistent plugin installation tests. Resolves opensearch-project#1081 Signed-off-by: Tommy Markley <markleyt@amazon.com>

Issue Resolve: opensearch-project#1081 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

…to 2.0.1 Issue Resolve: opensearch-project#1081 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

…to 2.0.1 Issue Resolve opensearch-project#1081 Backport PR opensearch-project#1422 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Issue Resolve opensearch-project#1081 Backport PR opensearch-project#1422 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Issue Resolve #1081 Backport PR #1422 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Issue Resolve #1081 Backport PR #1422 Signed-off-by: Anan Zhuang <ananzh@amazon.com> (cherry picked from commit 430c93b) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Issue Resolve #1081 Backport PR #1422 (cherry picked from commit 430c93b) Signed-off-by: Anan Zhuang <ananzh@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jan 4, 2022

tmarkley added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jan 4, 2022

tmarkley self-assigned this Jan 18, 2022

tmarkley mentioned this issue Feb 10, 2022

Upgrades TypeScript to 4.1, simplifies jest config #1230

Closed

7 tasks

tmarkley added the v2.0.0 label Feb 28, 2022

ashwin-pc assigned boktorbb Mar 28, 2022

AMoo-Miki mentioned this issue Apr 2, 2022

Bumps the nested dependency of nth-check to v2.0.1 #1422

Merged

7 tasks

AMoo-Miki closed this as completed in #1422 Apr 4, 2022

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023

[CVE-2021-3803] Bump the nested dependency nth-check from 1.0.2 to 2.0.1

69479bd

Issue Resolve: opensearch-project#1081 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023

[CVE-2021-3803][1.x] Bump the nested dependency nth-check from 1.0.2 …

db02051

…to 2.0.1 Issue Resolve: opensearch-project#1081 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023

[CVE-2021-3803][1.x] Bump nth-check from 1.0.2 to 2.0.1

9ff90f0

Issue Resolve opensearch-project#1081 Backport PR opensearch-project#1422 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

ananzh mentioned this issue Mar 30, 2023

[CVE-2021-3803][1.x] Bump nth-check from 1.0.2 to 2.0.1 #3729

Merged

8 tasks

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Mar 30, 2023

[CVE-2021-3803][1.x] Bump nth-check from 1.0.2 to 2.0.1

6d0af4f

Issue Resolve opensearch-project#1081 Backport PR opensearch-project#1422 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

ananzh added a commit that referenced this issue Mar 30, 2023

[CVE-2021-3803][1.x] Bump nth-check from 1.0.2 to 2.0.1 (#3729)

430c93b

Issue Resolve #1081 Backport PR #1422 Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz #1081

CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz #1081

mend-for-github-com bot commented Jan 4, 2022 •

edited

Loading

tmarkley commented Jan 6, 2022

tmarkley commented Jan 6, 2022

CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz #1081

CVE-2021-3803 (High) detected in nth-check-1.0.2.tgz #1081

Comments

mend-for-github-com bot commented Jan 4, 2022 • edited Loading

CVE-2021-3803 - High Severity Vulnerability

tmarkley commented Jan 6, 2022

tmarkley commented Jan 6, 2022

mend-for-github-com bot commented Jan 4, 2022 •

edited

Loading