Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security fix for vulnerability in semver #7040

Closed
1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP opened this issue Jul 4, 2023 · 1 comment · Fixed by #7043
Closed

Security fix for vulnerability in semver #7040

1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP opened this issue Jul 4, 2023 · 1 comment · Fixed by #7043
Labels
status: wip is being worked on by someone type: security a security problem

Comments

@1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP
Copy link

What minimal example or steps are needed to reproduce the bug?

npm install stylelint@15.9.0

added 176 packages, and audited 177 packages in 8s

33 packages are looking for funding
  run `npm fund` for details

6 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

Running npm audit:

# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install stylelint@7.13.0, which is a breaking change
node_modules/read-pkg/node_modules/semver
  normalize-package-data  <=2.5.0
  Depends on vulnerable versions of semver
  node_modules/read-pkg/node_modules/normalize-package-data
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/read-pkg
      read-pkg-up  <=7.0.1
      Depends on vulnerable versions of read-pkg
      node_modules/read-pkg-up
        meow  3.4.0 - 9.0.0
        Depends on vulnerable versions of read-pkg-up
        node_modules/meow
          stylelint  >=8.0.0
          Depends on vulnerable versions of meow
          node_modules/stylelint

6 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

What minimal configuration is needed to reproduce the bug?

N/A

How did you run Stylelint?

I don't

Which Stylelint-related dependencies are you using?

stylelint@15.9.0

What did you expect to happen?

no vulnerabilities

What actually happened?

npm install outputs

Do you have a proposal to fix the bug?

Possibly update meow to version 10 or later, which removed the vulnerable verison of semver from the dependency tree.
@Mouvedia Mouvedia added pr: blocked is blocked by another issue or pr status: blocked is blocked by another issue or pr labels Jul 4, 2023
@Mouvedia
Copy link
Contributor

Mouvedia commented Jul 4, 2023
edited

blocked for the same reason as #5042
see #5042 (comment)

@jeddy3 jeddy3 added status: needs discussion triage needs further discussion and removed status: blocked is blocked by another issue or pr pr: blocked is blocked by another issue or pr labels Jul 4, 2023
@romainmenke romainmenke mentioned this issue Jul 4, 2023
Merged
@jeddy3 jeddy3 changed the title security vulnerability in semver Security fix for vulnerability in semver Jul 4, 2023
@jeddy3 jeddy3 added status: wip is being worked on by someone type: security a security problem and removed status: needs discussion triage needs further discussion labels Jul 4, 2023
@tryforceful tryforceful mentioned this issue Jul 14, 2023
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: wip is being worked on by someone type: security a security problem
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Security fix for semver vulnerability stylelint/stylelint
3 participants
@Mouvedia @jeddy3 @1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP