Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability in a dependency #242

Closed
julianna-ciq opened this issue Feb 13, 2023 · 2 comments
Closed

Security vulnerability in a dependency #242

julianna-ciq opened this issue Feb 13, 2023 · 2 comments

Comments

@julianna-ciq
Copy link

I use @electron/get as a dependency, and I started failing audits for this issue:
GHSA-8x6c-cv3v-vp6g

@electron/get v2.02 uses got v11.8.5, which uses cacheable-request v7.0.2. Any version of cacheable-request below 10.2.7 is vulnerable to the above advisory. The latest version of got, v12.5.3, references a safe version of cacheable-request, so updating the got dependency should also address this advisory.

I tried using yarn resolutions to force cacheable-request to v10.2.7, and I got the following error messages:

Error [ERR_REQUIRE_ESM]: require() of ES Module /.../node_modules/got/dist/source/index.js from .../node_modules/@electron/get/dist/cjs/GotDownloader.js not supported.
Instead change the require of index.js in .../node_modules/@electron/get/dist/cjs/GotDownloader.js to a dynamic import() which is available in all CommonJS modules.
    at Object.<anonymous> (...r/node_modules/@electron/get/dist/cjs/GotDownloader.js:15:15)
    at .../node_modules/@electron/get/dist/cjs/downloader-resolver.js:8:66
    at async Object.getDownloaderForSystem (.../node_modules/@electron/get/dist/cjs/downloader-resolver.js:8:[31](https://github.com/Finsemble/finsemble-mono/actions/runs/4165032919/jobs/7207472417#step:8:32))
    at async .../node_modules/@electron/get/dist/cjs/index.js:67:59
    at async useAndRemoveDirectory (.../node_modules/@electron/get/dist/cjs/utils.js:10:18)

Request
Can this package update to a non-vulnerable version of got or cacheable-request?

@erickzhao
Copy link
Member

erickzhao commented Feb 13, 2023

cacheable-request depends on http-cache-semantics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package.

The underlying issue is stemming from cacheable-request<4.1.1, but it cacheable-request@7.0.2 seems to only specify http-cache-semantics^4.0.0. You could probably upgrade http-cache-semantics in your lockfile without upgrading cacheable-request to receive the DoS fix, assuming that package follows semver closely.

@MarshallOfSound
Copy link
Member

This is an incorrect GHSA report, I've filed a PR to fix this in the advisory database github/advisory-database#1703

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants