A vulnerability in your package #1307
Comments
|
How can I pull a request to yeoman-generator's v4.13.* branch to fix this issue? Thanks again. |
|
That’s not so easy. The easy fix would be to get it fixed in glob-parent. |
|
@mshima Thanks for your answer. Since yeoman-generator@4.13.0 is a popular package (154,090 downloads per week), lots of downstream projects got the vulnerability reports every build. Not need to upgrade to mem-fs-editor@8.0.0. A feasible solution is Because mem-fs-editor@7.0.0 transitively depends on glob-parent@5.1.2 (a vulnerability CVE-2020-28469 patched version). Then this vulnerability patch will be automatically propagated into a large amount of downstream projects via yeoman-generator@4.13.1. Thanks again. |
|
That breaks windows support. |
|
@mshima I see. Thanks for your feedback. |
|
Closing. |
Hi ,@SBoudrias , @mshima, I’d like to report a vulnerability issue in yeoman-generator:
Issue Description
A vulnerability CVE-2020-28469 detected in package glob-parent (<5.1.2) is transitively referenced by yeoman-generator 4.13.0. We noticed that such a vulnerability has been removed since yeoman-generator 5.0.0-beta.1.
However, yeoman-generator's popular previous version yeoman-generator@4.13.0 (154,090 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 1,289 downstream projects, e.g., @webpack-cli/webpack-scaffold 1.0.3, generator-feathers 4.4.0, @feathersjs/cli 4.5.0, @department-of-veterans-affairs/generator-vets-website 3.5.1, generator-license 5.5.0, @abhishek-ktsu/generator-koa@1.0.2, @alfheim/cli@0.2.9, @c6o/cli@0.2.5, etc.).
As such, issue CVE-2020-28469 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade yeoman-generator from version _ 4.13.0_ to 5.*.* . For instance, yeoman-generator 4.13.0 is introduced into the above projects via the following package dependency paths:
(1)
@abhishek-ktsu/generator-koa@1.0.2 ➔ extended-yo-generator@1.0.13 ➔ yeoman-generator@4.13.0 ➔ mem-fs-editor@7.1.0 ➔ globby@9.2.0 ➔ fast-glob@2.2.7 ➔ glob-parent@3.1.0(2)
@alfheim/cli@0.2.9 ➔ @alfheim/generator-nef-component@0.4.5 ➔ @alfheim/generator-nef-index@0.3.3 ➔ yeoman-generator@4.13.0 ➔ mem-fs-editor@7.1.0 ➔ globby@9.2.0 ➔ fast-glob@2.2.7 ➔ glob-parent@3.1.0(3)
@c6o/cli@0.2.5 ➔ generator-codezero-provisioner@0.0.8 ➔ generator-node@2.8.0 ➔ generator-jest@1.8.0 ➔ yeoman-generator@4.13.0 ➔ mem-fs-editor@7.1.0 ➔ globby@9.2.0 ➔ fast-glob@2.2.7 ➔ glob-parent@3.1.0......
The projects such as extended-yo-generator, @alfheim/generator-nef-index and generator-jest etc. which introduced yeoman-generator@4.13.0, are not maintained anymore. These unmaintained packages can neither upgrade yeoman-generator nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package yeoman-generator@4.13.0?
Sorry for the inconvenience caused.
Suggested Solution
Since these unactive projects set a version constaint ~4.13.* for yeoman-generator on the above vulnerable dependency paths, if yeoman-generator removes the vulnerability from 4.13.0 and releases a new patched version yeoman-generator@4.13.1,
such a vulnerability patch can be automatically propagated into the 1,289 affected downstream projects.
In yeoman-generator@4.13.1, you can kindly try to perform the following upgrade:
mem-fs-editor ^7.0.1 ➔ 7.0.0;Note:
mem-fs-editor@7.0.0 transitively depends on glob-parent@5.1.2 (a vulnerability CVE-2020-28469 patched version)
Thanks again for your contributions.
Sincerely yours,
Paimon
The text was updated successfully, but these errors were encountered: