Vulnerability (low severity) introduced by `find-node-modules`

[codepunkt]

The braces npm module is vulnerable to Regular Expression Denial of Service (ReDoS).

The braces module is a dependency of commitizen via

• commitizen@2.9.6
  • find-node-modules@1.0.4
    • findup-sync@0.4.2
      • micromatch@2.3.11
        • braces@1.8.5

There is no new version of findup-sync or find-node-modules available that comes with a braces version >= 2.3.1 to fix the vulnerability.

I suggest using a package other than find-node-modules for the required functionality.

[jimthedev]

FYI I put in gulpjs/findup-sync#43 for find-node-modules. Once that gets merged and a new release I will put in a PR for find-node-modules.

[jimthedev]

Thanks for bringing this up btw. Generally speaking I am not likely to move off a module but would rather put in the PRs to get it up to date. We rely on their functionality so we should contribute back through PRs. If there is a PR that isn't being merged for a long time that we need merged then we could have that conversation.

[codepunkt]

@jimthedev That's always the better option!

Sometimes the problem lies so deep in the dependency chain and modules in between seem unmaintained and haven't released a new version in ages so that it's like fighting windmills to get every dependency layer updated and released as a new version.

It's only a low severity vulnerability and it might not even possible to exploit it via commitizen, so i guess it's not urgent. Just wanted you to have this on your radar!

[JohannesLamberts]

@jimthedev Npm audit fails in projects using the latest version of commitizen as of https://www.npmjs.com/advisories/786 (published Feb 15th, 2019) for the reason discussed above.

Since find-node-modules was last updated two years ago and has only 62 LOC I would suggest to move the functionallity into commitizen.#

There is also another MR in find-node-modules for another npm audit issue that had not been merged for 21 days (callumacrae/find-node-modules#9).

[Magneticmagnum]

We're getting the same audit fails too in our project. Anyone happen to know if the previous version had audit issues?

[callumacrae]

👋

didn't see that PR, thanks @jimthedev for the poke on twitter

will merge anything else sent - npm is reporting one more minor vulnerability (although it's not a vulnerability that can actually be exploited through find-node-modules).

alternatively, happy to add a contributor from this repo as a contributor to find-node-modules, or just transfer the entire thing to commitizen - I don't actually use it anymore

[jimthedev]

3.0.6 released with latest find-node-modules.

[jimthedev]

We're good. Thanks all! <3