CVE-2021-23362 in hosted-git-info

[kachkaev]

We are using npm-run-all and are seeing this security alert since this morning: CVE-2021-23362. It is introduced via:

npm-run-all@4.1.5
↓
read-pkg@3.0.0
↓
normalize-package-data@2.5.0
↓
hosted-git-info@2.8.8

Looks like upgrading read-pkg to ^5.2.0 should be enough to fix the issue. I’m happy to submit a PR if @mysticatea is happy to cut a release afterwards.

Meanwhile, we’ve added "hosted-git-info": "^4.0.2" to package.json → resolutions.

[SymbioticKilla]

@mysticatea Hi, any plans to update it? Is this project alive?

[SymbioticKilla]

read-pkg@6.0.0 fixes the issue

[kachkaev]

read-pkg@6.0.0 could solve the problem indeed, but it would require this module to become ESM-only. See

• https://github.com/sindresorhus/read-pkg/releases/tag/v6.0.0
• https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c

Using read-pkg@5.2.0 still gives us a vulnerable version of hosted-git-info. If I upgrade read-pkg in this repo, then run npm ls hosted-git-info --prod, the result is:

└─┬ read-pkg@5.2.0
  └─┬ normalize-package-data@2.5.0
    └── hosted-git-info@2.8.8 

🤔

@mysticatea would you be interested in releasing a new breaking version of npm-run-all that would be ESM-only (i.e. for Node 12+)? If so, we can go for upgrading read-pkg to 6.0.0+ and refactoring some if the imports too.

[kachkaev]

An attempt to fix the issue is here: #205

I have some issues with AppVeyor and am giving up for now. Any help would be appreciated! @mysticatea 🙏

[dtothefp]

Yes would be great to get this updated as we are having to move away from this package due to Snyk alerts

[kachkaev]

@dtothefp which alternative have you been able to find?

[lydell]

We can also hope this is true: import-js/eslint-plugin-import#2046 (comment)

[lydell]

Version 2.8.9 of hosted-git-info is now marked as unaffected by the vulnerability! I just got a PR from Dependabot silencing the alert.