Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport security fixes to version 2.x #134

Closed
apepper opened this issue Jun 11, 2021 · 3 comments
Closed

Backport security fixes to version 2.x #134

apepper opened this issue Jun 11, 2021 · 3 comments

Comments

@apepper
Copy link

apepper commented Jun 11, 2021

Hi there.

First of all thank you for your package. I was actually not aware of using it, but thanks to the power of npm I actually do.

I noticed that I'll get a npm audit warning which points to https://www.npmjs.com/advisories/1755.

As far as I understand there are already bugfix releases of version 4, 5 and 6 available, which is awesome.

Would it be possible to also do a bugfix release of version 2? Npm audit shows me the following chain:

normalize-url  <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix --force`
Will install karma-sauce-launcher@4.1.4, which is a breaking change
node_modules/download/node_modules/normalize-url
  cacheable-request  0.1.0 - 6.0.0
  Depends on vulnerable versions of normalize-url
  node_modules/download/node_modules/cacheable-request
    got  8.0.0 - 9.5.0
    Depends on vulnerable versions of cacheable-request
    node_modules/download/node_modules/got
      download  >=7.0.0
      Depends on vulnerable versions of got
      node_modules/download
        bin-wrapper  2.1.2 || >=4.0.0
        Depends on vulnerable versions of download
        node_modules/bin-wrapper
          saucelabs  >=4.1.0
          Depends on vulnerable versions of bin-wrapper
          node_modules/saucelabs
            karma-sauce-launcher  >=4.1.5
            Depends on vulnerable versions of saucelabs
            node_modules/karma-sauce-launcher

E.g. https://www.npmjs.com/package/bin-wrapper is a highly used package (~ 1 million installs a week) but likely no longer updated (last update three years ago). This packages indirectly relies on normalize-url version 2.
@sindresorhus
Copy link
Owner

Versions below 4.3.0 are not affected by this. I have asked them to update the CVE.

The vulnerable feature was released in v4.4.0: https://github.com/sindresorhus/normalize-url/releases/tag/v4.4.0

@sindresorhus sindresorhus mentioned this issue Jun 12, 2021
Closed
@apepper
Copy link
Author

apepper commented Jun 14, 2021

@sindresorhus Awesome. Thank you for the additional information!

@apepper apepper closed this as completed Jun 14, 2021
@apepper
Copy link
Author

apepper commented Jun 14, 2021

Could you also contact https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539 ? I think that is currently the source for npm audit. I already heard other open source developer just do that (see mafintosh/multicast-dns#75 (comment)).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@apepper @sindresorhus