Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Security issues in the underlying packages #4168

Closed
iSeiryu opened this issue Jun 23, 2023 · 5 comments · Fixed by #4169
Closed

[Bug]: Security issues in the underlying packages #4168

iSeiryu opened this issue Jun 23, 2023 · 5 comments · Fixed by #4169
Labels
Security Pull requests that address a security vulnerability

Comments

@iSeiryu
Copy link

iSeiryu commented Jun 23, 2023

Version

29.1.0

Steps to reproduce

Before yesterday, npm i reported only 4 low vulnerabilities. But yesterday it suddenly started showing 32 moderate vulnerabilities.

This package is flagged, but additional issues might need to be created on the dependency packages.

P.S. you guys need a [Security] issue template.

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install ts-jest@27.0.3, which is a breaking change
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/child-process-ext/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/make-dir/node_modules/semver
  @babel/core  *
  Depends on vulnerable versions of @babel/helper-compilation-targets
  Depends on vulnerable versions of semver
  node_modules/@babel/core
    @babel/helper-compilation-targets  *
    Depends on vulnerable versions of @babel/core
    Depends on vulnerable versions of semver
    node_modules/@babel/helper-compilation-targets
    @jest/transform  *
    Depends on vulnerable versions of @babel/core
    Depends on vulnerable versions of babel-plugin-istanbul
    node_modules/@jest/transform
      @jest/core  *
      Depends on vulnerable versions of @jest/reporters
      Depends on vulnerable versions of @jest/transform
      Depends on vulnerable versions of jest-config
      Depends on vulnerable versions of jest-resolve-dependencies
      Depends on vulnerable versions of jest-runner
      Depends on vulnerable versions of jest-runtime
      Depends on vulnerable versions of jest-snapshot
      node_modules/@jest/core
        jest  >=24.0.0-alpha.0
        Depends on vulnerable versions of @jest/core
        Depends on vulnerable versions of jest-cli
        node_modules/jest
          ts-jest  >=25.10.0-alpha.1
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of jest
          node_modules/ts-jest
        jest-cli  >=24.0.0-alpha.0
        Depends on vulnerable versions of @jest/core
        Depends on vulnerable versions of jest-config
        node_modules/jest-cli
      babel-jest  >=18.5.0-alpha.7da3df39
      Depends on vulnerable versions of @babel/core
      Depends on vulnerable versions of @jest/transform
      Depends on vulnerable versions of babel-plugin-istanbul
      Depends on vulnerable versions of babel-preset-jest
      node_modules/babel-jest
      jest-runner  >=24.2.0-alpha.0
      Depends on vulnerable versions of @jest/transform
      Depends on vulnerable versions of jest-runtime
      node_modules/jest-runner
        jest-config  >=24.0.0-alpha.0
        Depends on vulnerable versions of @babel/core
        Depends on vulnerable versions of babel-jest
        Depends on vulnerable versions of jest-circus
        Depends on vulnerable versions of jest-runner
        node_modules/jest-config
      jest-runtime  >=24.2.0-alpha.0
      Depends on vulnerable versions of @jest/globals
      Depends on vulnerable versions of @jest/transform
      Depends on vulnerable versions of jest-snapshot
      node_modules/jest-runtime
        jest-circus  >=25.2.4
        Depends on vulnerable versions of @jest/expect
        Depends on vulnerable versions of jest-runtime
        Depends on vulnerable versions of jest-snapshot
        node_modules/jest-circus
    babel-preset-current-node-syntax  *
    Depends on vulnerable versions of @babel/core
    node_modules/babel-preset-current-node-syntax
      babel-preset-jest  >=24.2.0-alpha.0
      Depends on vulnerable versions of @babel/core
      Depends on vulnerable versions of babel-preset-current-node-syntax
      node_modules/babel-preset-jest
    istanbul-lib-instrument  >=1.2.0
    Depends on vulnerable versions of @babel/core
    Depends on vulnerable versions of semver
    node_modules/istanbul-lib-instrument
      @jest/reporters  *
      Depends on vulnerable versions of @jest/transform
      Depends on vulnerable versions of istanbul-lib-instrument
      Depends on vulnerable versions of istanbul-lib-report
      Depends on vulnerable versions of istanbul-reports
      node_modules/@jest/reporters
      babel-plugin-istanbul  >=3.1.0-candidate.0
      Depends on vulnerable versions of istanbul-lib-instrument
      node_modules/babel-plugin-istanbul
    jest-snapshot  >=27.0.0-next.0
    Depends on vulnerable versions of @babel/core
    Depends on vulnerable versions of @jest/transform
    Depends on vulnerable versions of babel-preset-current-node-syntax
    node_modules/jest-snapshot
      @jest/expect  *
      Depends on vulnerable versions of jest-snapshot
      node_modules/@jest/expect
        @jest/globals  >=28.0.0-alpha.0
        Depends on vulnerable versions of @jest/expect
        node_modules/@jest/globals
      jest-resolve-dependencies  >=27.0.0-next.0
      Depends on vulnerable versions of jest-snapshot
      node_modules/jest-resolve-dependencies
  cross-spawn  6.0.0 - 6.0.5
  Depends on vulnerable versions of semver
  node_modules/child-process-ext/node_modules/cross-spawn
    child-process-ext  *
    Depends on vulnerable versions of cross-spawn
    node_modules/child-process-ext
      @serverless/dashboard-plugin  *
      Depends on vulnerable versions of @serverless/utils
      Depends on vulnerable versions of child-process-ext
      node_modules/@serverless/dashboard-plugin
        serverless  >=1.61.0
        Depends on vulnerable versions of @serverless/dashboard-plugin
        Depends on vulnerable versions of @serverless/utils
        Depends on vulnerable versions of child-process-ext
        node_modules/serverless
          serverless-plugin-typescript  2.0.0 - 2.1.5
          Depends on vulnerable versions of serverless
          node_modules/serverless-plugin-typescript
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/make-dir
    @serverless/utils  >=5.1.0
    Depends on vulnerable versions of make-dir
    node_modules/@serverless/utils
      serverless-offline  >=9.0.0
      Depends on vulnerable versions of @serverless/utils
      Depends on vulnerable versions of serverless
      node_modules/serverless-offline
    istanbul-lib-report  >=2.0.5
    Depends on vulnerable versions of make-dir
    node_modules/istanbul-lib-report
      istanbul-reports  >=3.0.0-alpha.0
      Depends on vulnerable versions of istanbul-lib-report
      node_modules/istanbul-reports

36 vulnerabilities (4 low, 32 moderate)

Expected behavior

There should be no vulnerabilities.

Actual behavior

There are 32 new vulnerabilities.

Debug log

None

Additional context

No response

Environment

OS: Linux, Windows, Mac
Node: 16 and 18
@ahnpnl
Copy link
Collaborator

ahnpnl commented Jun 23, 2023

I see in the logging that Will install ts-jest@27.0.3, which is a breaking change but you mentioned it's version 29.1.0 I don't see anything mentioned about version 29.1.0

@ahnpnl ahnpnl linked a pull request Jun 23, 2023 that will close this issue
build(deps): Update dependency semver to v7.5.2 [SECURITY] - autoclosed #4171
Closed
1 task
@ahnpnl
Copy link
Collaborator

ahnpnl commented Jun 23, 2023

Bot will fix it :)

@ahnpnl ahnpnl added Security Pull requests that address a security vulnerability and removed Bug Report Needs Triage labels Jun 23, 2023
@ahnpnl ahnpnl linked a pull request Jun 23, 2023 that will close this issue
build(deps): bump semver from 7.5.1 to 7.5.2 #4169
Merged
@ahnpnl
Copy link
Collaborator

ahnpnl commented Jun 23, 2023

There are more to that like conventional changelog which we are using but it's dev dep only. A direct dep is semver which can be bumped to solve the issue by making a release.

@iSeiryu
Copy link
Author

iSeiryu commented Jun 23, 2023

@ahnpnl We are on 29.1.0 and npm audit says that to fix it we need to drop to 27.0.3 which we cannot do since it introduces hundreds of breaking changes.

@iSeiryu
Copy link
Author

iSeiryu commented Jun 23, 2023
edited

@ahnpnl
https://www.npmjs.com/package/semver released a new 7.5.3 version 20 hours ago. I'm assuming that's to fix that vulnerability. If ts-jest could release a new package that references the new version that would be awesome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
2 participants
@iSeiryu @ahnpnl