Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@nestjs/schedule2.1.0 depends on vulnerable versions of luxon #1122

Closed
PetrShchukin opened this issue Jan 9, 2023 · 3 comments
Closed

@nestjs/schedule2.1.0 depends on vulnerable versions of luxon #1122

PetrShchukin opened this issue Jan 9, 2023 · 3 comments
Labels
bug Something isn't working needs triage

Comments

@PetrShchukin
Copy link

PetrShchukin commented Jan 9, 2023
edited

The @nestjs/schedule package with version 2.1.0 depends on vulnerable versions of luxonluxon 1.0.0 - 1.28.1. Severity: high.

# npm audit report

luxon  1.0.0 - 1.28.1
Severity: high
Luxon Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-3xq5-wjfh-ppjc
fix available via `npm audit fix --force`
Will install cron@1.8.2, which is a breaking change
node_modules/luxon
  cron  >=1.8.3
  Depends on vulnerable versions of luxon
  node_modules/@nestjs/schedule/node_modules/cron
  node_modules/cron
    @nestjs/schedule  >=2.0.1
    Depends on vulnerable versions of cron
    node_modules/@nestjs/schedule

3 high severity vulnerabilities
@PetrShchukin PetrShchukin added bug Something isn't working needs triage labels Jan 9, 2023
@PetrShchukin PetrShchukin changed the title nest/schedule 2.1.0 depends on vulnerable versions of luxon @nestjs/schedule2.1.0 depends on vulnerable versions of luxon Jan 9, 2023
@jitbasemartin
Copy link

cron v2.2.0 uses the last version of luxon now: kelektiv/node-cron#646

@micalevisk
Copy link
Member

so it's just a matter of merging #983

@kamilmysliwiec
Copy link
Member

let's track this here #983

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@micalevisk @kamilmysliwiec @jitbasemartin @PetrShchukin