Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update prod packages with CVE vulnerabilities #95

Merged
merged 1 commit into from
Nov 29, 2023
Merged

update prod packages with CVE vulnerabilities #95

merged 1 commit into from
Nov 29, 2023

Conversation

dfrankland
Copy link
Contributor

I was using trunk check on my own repo and noticed some moderately severe vulnerabilities with the dependencies of @vercel/fun:

  ISSUES

pnpm-lock.yaml:175:0
  175:0  medium  Vulnerability in 'debug': nodejs-debug: Regular expression Denial of Service. Current version is vulnerable: 4.1.1. Patch available: upgrade to 2.6.9, 3.1.0, 3.2.7, 4.3.1   trivy/CVE-2017-16137
 3517:0  medium  Vulnerability in 'semver': Regular expression denial of service. Current version is vulnerable: 7.3.5. Patch available: upgrade to 7.5.2, 6.3.1, 5.7.2 or higher.            trivy/CVE-2022-25883

You can find these with pnpm audit --prod too

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ semver vulnerable to Regular Expression Denial of      │
│                     │ Service                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ semver                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.0.0 <7.5.2                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │                                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Regular Expression Denial of Service in debug          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ debug                                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <4.3.1                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.3.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │                                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-gxpj-cx7g-858c      │
└─────────────────────┴────────────────────────────────────────────────────────┘
2 vulnerabilities found
Severity: 2 moderate

orca-security-us[bot]
orca-security-us bot reviewed Oct 5, 2023
View reviewed changes
Copy link

@orca-security-us orca-security-us bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca

@roopakv
Copy link

roopakv commented Oct 10, 2023

@cb1kenobi any chance you could take a look and maybe merge + publish a new version :)

cb1kenobi
cb1kenobi approved these changes Nov 29, 2023
View reviewed changes
Copy link
Contributor

@cb1kenobi cb1kenobi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good! Thank you very much for contributing this fix!

@cb1kenobi cb1kenobi merged commit 7f2627c into vercel:main Nov 29, 2023
3 checks passed
This was referenced Nov 29, 2023
Closed
Merged
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 1.1.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@G-Rath G-Rath mentioned this pull request Mar 26, 2024
Open
@G-Rath G-Rath mentioned this pull request May 4, 2024
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orca-security-us Orca Security (US) Orca Security (US) left review comments

@cb1kenobi cb1kenobi cb1kenobi approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dfrankland @roopakv @cb1kenobi