Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] plans for replacement of unmaintained taffydb dependency #2013

Closed
DerekNonGeneric opened this issue Sep 29, 2022 · 3 comments
Closed

[security] plans for replacement of unmaintained taffydb dependency #2013

DerekNonGeneric opened this issue Sep 29, 2022 · 3 comments

Comments

@DerekNonGeneric
Copy link

The currently-depended-upon version of taffydb, which is the last version of this module since it has gone unmaintained, was issued a high-severity vulnerability: CVE-2019-10790. This issue is to ask what plans you have to replace it (or whether there are any yet). Unfortunately, this is a rather deep dependency in my package's dependency tree, so we will have to coordinate to get everyone updated before we make our subsequent security releases.

I really appreciate any help you can provide.

Input code

n/a

JSDoc configuration

n/a

JSDoc debug output

n/a

Expected behavior

n/a

Current behavior

n/a

Your environment

Software Version
JSDoc 3.6.11
Node.js 16.13.0
npm 8.1.0
Operating system Linux (Debian Bullseye)
@DerekNonGeneric DerekNonGeneric mentioned this issue Oct 17, 2022
Merged
@freben freben mentioned this issue Oct 17, 2022
Closed
@hegemonic
Copy link
Contributor

I'm working on a permanent solution for this issue, and I hope to have more information to share within the next week or two. Stay tuned!

(In the meantime, for what it's worth, I think this "vulnerability" is pretty meaningless. The "vulnerability" provides a sneaky, unintended way to access specific records in a TaffyDB database. But TaffyDB doesn't pretend to have any sort of access control; you can always get all records in the database by calling db().get(). Also, JSDoc only uses TaffyDB to store information about your source code, which you already have access to—otherwise JSDoc wouldn't be able to parse it. All of that said, I don't want to train people to ignore CVEs, and I know it's hard to convince your colleagues or your employer to dismiss a specific CVE, so I'm doing the work to solve the issue.)

@hegemonic
Copy link
Contributor

Okay, I wrote a drop-in replacement, @jsdoc/salty, for the parts of TaffyDB that JSDoc uses. I also released JSDoc 4.0.0, which replaces taffydb with @jsdoc/salty.

If your JSDoc template doesn't work with JSDoc 4.0.0, follow the instructions in Use Salty in a JSDoc template. In most cases, this change is a one-line update to the template's publish.js and package.json files. The template will remain backwards-compatible with previous versions of JSDoc.

Hope this meets your needs—please file a new issue if it doesn't!

@DerekNonGeneric
Copy link
Author

@hegemonic, congrats on the release! That was a relatively speedy fix too; much appreciated.

@amekusa amekusa mentioned this issue Mar 15, 2023
Closed
@nuxy nuxy mentioned this issue Jan 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hegemonic @DerekNonGeneric