Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High severity vulnerability reported due to dependency on decompress #731

Closed
jimmyandrade opened this issue Feb 29, 2020 · 4 comments
Closed

High severity vulnerability reported due to dependency on decompress #731

jimmyandrade opened this issue Feb 29, 2020 · 4 comments
Labels
status: stale type: security code to address security issues

Comments

@jimmyandrade
Copy link

jimmyandrade commented Feb 29, 2020
edited
Loading

It's a security vulnerability problem.

- What is the current behavior?
Given you installed netlify-cli as a dependency
When you run npm audit
Then you find the following:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ netlify-cli                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ netlify-cli > gh-release-fetch > download > decompress       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

- What is the expected behavior?
No severity vulnerabilities should be found.

- If the current behavior is a bug, please provide the steps to reproduce.

  1. Create a directory and run npm init;
  2. Install netlify-cli with npm install --save-dev netlify-cli;
  3. Run npm audit.

- Local Environment Information

netlify-cli/2.11.23 darwin-x64 node-v12.16.0

PS.: I checked if there were not have any duplicates already open.
@jimmyandrade jimmyandrade changed the title High severity vulnerability because of decompress High severity vulnerability reported due to dependency on decompress Feb 29, 2020
@erquhart
Copy link
Contributor

@jimmyandrade can you update to the latest cli and check again? Latest release is 2.36.0.

Sent with GitHawk

@RaeesBhatti
Copy link
Contributor

I can confirm this issue with the latest version. The root issue is being discussed here: kevva/decompress#71
Maybe we can make some changes in gh-release-fetch in the meantime.

@glasnt glasnt mentioned this issue Mar 17, 2020
Merged
@erezrokah erezrokah added type: security code to address security issues status: stale labels Aug 20, 2020
@erezrokah
Copy link
Contributor

Verified with v2.59.1 and this is no longer an issue.
Please comment if you find it otherwise.

@jimmyandrade
Copy link
Author

jimmyandrade commented Aug 20, 2020
edited
Loading

@erquhart and @erezrokah thank you all 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: stale type: security code to address security issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@erquhart @jimmyandrade @RaeesBhatti @erezrokah