Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cli/package-lock.json forces insecure minimatch 3.0.4 #1696

Closed
davidcopp opened this issue Mar 4, 2022 · 2 comments · Fixed by #1704
Closed

cli/package-lock.json forces insecure minimatch 3.0.4 #1696

davidcopp opened this issue Mar 4, 2022 · 2 comments · Fixed by #1704

Comments

@davidcopp
Copy link

davidcopp commented Mar 4, 2022
edited

protobuf.js version: 6.11.2

Upon installing the package, the cli subpackage brings in (via transitive dep) minimatch 3.0.4. This version has been flagged with a security vulnerability. A version 3.0.5 (or higher) resolves the vulnerability, but cannot be installed via npm update due to cli/package-lock.json.

At this time the latest 3.x version is minimatch 3.1.2.

  • Vulnerability reported by JFrog Xray: XRAY-198521
  • Vulnerable Component: minimatch:3.0.4
  • Severity: High
  • CVSS Score: 4.3 (v2) 7.5 (v3)
  • Fix version: 3.0.5
  • Summary: minimatch minimatch.js braceExpand() Function Improper Regular Expression DoS
  • Description: minimatch contains a flaw in the braceExpand() function in minimatch.js that is triggered as an improper regular expression is used to match patterns for brace expansion. This may allow a context-dependent attacker to hang or slow down a Node process using the library.
# in a dummy 't' project where protobufjs is the only installed package...

$ npm ls minimatch
t@1.0.0 (...omitted path...)/t
└── (empty)

$ cd node_modules/protobufjs/cli
$ npm ls minimatch
cli@6.9.0 (...omitted path...)/t/node_modules/protobufjs/cli
└─┬ tmp@0.2.1
  └─┬ rimraf@3.0.2
    └─┬ glob@7.1.6
      └── minimatch@3.0.4
@agustingabiola agustingabiola mentioned this issue Mar 28, 2022
Closed
richgerrard added a commit to richgerrard/protobuf.js that referenced this issue Mar 31, 2022
@richgerrard
Patch minimatch vulnerability
6694617 
If I follow this, glob packages minimatch.  Minimatch released a fix, glob also has a newer build, picking this up should pick up that.
Fixes protobufjs#1696
Fixes protobufjs#1697
Fixes protobufjs#1698
@richgerrard richgerrard mentioned this issue Mar 31, 2022
Merged
@hi-artem
Copy link

hi-artem commented May 4, 2022

Maintainers, any update on this?

alexander-fenster added a commit that referenced this issue May 20, 2022
@richgerrard @alexander-fenster
fix(deps): patch minimatch vulnerability (#1704)
bac61b8 
* Patch minimatch vulnerability

If I follow this, glob packages minimatch.  Minimatch released a fix, glob also has a newer build, picking this up should pick up that.
Fixes #1696
Fixes #1697
Fixes #1698

* chore: update lockfile

Co-authored-by: Alexander Fenster <fenster@google.com>
@perez-rob
Copy link

i just got flagged that one of my repo's had this and now I can't see that repo anymore. Does GH delete repos with such vulnerabilities?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): patch minimatch vulnerability richgerrard/protobuf.js
3 participants
@perez-rob @hi-artem @davidcopp