There is no CVE-2021-35065, Chokidar is not vulnerable #1191
Comments
paulmillr
changed the title
Do you mean NodeJS Carbon v8x.x the last time updated on 2019-12-17 or you are talking about v8 engine itself? And thank you for the quick response you did. |
|
yes, we will still support node from 2019, because chokidar is used by tens of millions of users and some of them cannot upgrade easily their child deps. |
|
Isn't it a nice idea if I will make pr for chokidar 4 with all possible changes for greater nodejs versions within your repo? I do not want to waste GitHub environment for nothing and increase entropy in Universe, but need to have 6.0.2 version somewhere. What do you think? |
|
Chokidar 4 will need a typescript rewrite probably. I don't think it matters without big changes |
|
@paulmillr Just to clarify - the NVD record was modified couple of days ago to include also 5.1.2 hence the inflow of new issues. I understand that the official stance is still that 5.1.2 is not vulnerable? |
|
@mtarnawa read the first post one more time. It doesn't matter who posts this stuff. |
I did read it. As well as the relevant issue in glob-parent project from the year back. I was surprised to see CPEs were updated suddently in the last couple of days that's why I wanted to reconfirm - it's no longer about vendor of security tool xyz being overzealous, but it's now being flagged in NVD which is bad (whole other level of bad compared to npm audit that was mentioned or GH advisories), but from what you are saying - still incorrect. Thanks. |
|
It appears that 5.1.2 and 6.0.1 took very different paths to resolve the vulnerability, and there is much discussion in the 6.0.1 pull request which seems to imply the approach in 5.1.2 may really be a partial fix and have issues of its own. Its not clear to me if that is why the NVD was updated to include 5.1.2; I've looked, but haven't found any comment accompanying the update. I do see that Snyk still lists 5.1.2 as not vulnerable, however, so my inclination is to trust them. In fact, according to Snyk, CVE-2021-35065 only applies to 6.0.0, CVE-2020-28469 is the CVE that covers all versions of 5.1.1 and lower NodeJS v8 reached end of life in Dec 31, 2019. Doesn't it make sense to adopt the latest version of gulp/glob-parent and let those who need to use Node 8 just use an old version of chokidar? Either way they're choosing to use unsupported libraries. And its pretty clear that glob-parent is not going to support two codelines, so I would think you wouldn't want to get too far out of date with it. |
|
I have sent the following note on the NIST page requesting they fix the issue: I believe https://nvd.nist.gov/vuln/detail/CVE-2021-35065 was incorrectly updated recently. It now indicates that all versions < 6.0.1 are vulnerable. I believe that CVE-2021-35065 only applies to version 6.0.0. Versions before 6.0.0 are covered by CVE-2020-28469 (5.1.2 fixes the issue, so it applies to versions <= 5.1.1) Snyk makes this clear on their website: https://security.snyk.io/package/npm/glob-parent And according to the NIST site, snyk appears to be the authoritative source for these vulnerabilities. |
|
Snyk is not more authoritative than others. They had these errors as well, last year. Most of these "vulnerability scanners" are useless. |
CVE-2021-35065 only applies to glob-parent 5.1.1 and 6.0.0, it does not apply to 5.1.2 which we are using. glob-parent 5.1.2 is not vulnerable. We will not update to 6.0 because chokidar 3 needs to support nodejs v8.
If your tool tells you chokidar is vulnerable, report issues to your build tool. White Source Software is particular piece of shit since it does not do proper checks.
github/advisory-database#531 github/advisory-database#533
The text was updated successfully, but these errors were encountered: