-
-
Notifications
You must be signed in to change notification settings - Fork 298
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A vulnerability in your package #1307
Comments
How can I pull a request to yeoman-generator's v4.13.* branch to fix this issue? Thanks again. |
That’s not so easy. The easy fix would be to get it fixed in glob-parent. |
@mshima Thanks for your answer. Since yeoman-generator@4.13.0 is a popular package (154,090 downloads per week), lots of downstream projects got the vulnerability reports every build. Not need to upgrade to mem-fs-editor@8.0.0. A feasible solution is Because mem-fs-editor@7.0.0 transitively depends on glob-parent@5.1.2 (a vulnerability CVE-2020-28469 patched version). Then this vulnerability patch will be automatically propagated into a large amount of downstream projects via yeoman-generator@4.13.1. Thanks again. |
That breaks windows support. |
@mshima I see. Thanks for your feedback. |
Closing. |
Hi ,@SBoudrias , @mshima, I’d like to report a vulnerability issue in yeoman-generator:
Issue Description
A vulnerability CVE-2020-28469 detected in package glob-parent (<5.1.2) is transitively referenced by yeoman-generator 4.13.0. We noticed that such a vulnerability has been removed since yeoman-generator 5.0.0-beta.1.
However, yeoman-generator's popular previous version yeoman-generator@4.13.0 (154,090 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 1,289 downstream projects, e.g., @webpack-cli/webpack-scaffold 1.0.3, generator-feathers 4.4.0, @feathersjs/cli 4.5.0, @department-of-veterans-affairs/generator-vets-website 3.5.1, generator-license 5.5.0, @abhishek-ktsu/generator-koa@1.0.2, @alfheim/cli@0.2.9, @c6o/cli@0.2.5, etc.).
As such, issue CVE-2020-28469 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade yeoman-generator from version _ 4.13.0_ to 5.*.* . For instance, yeoman-generator 4.13.0 is introduced into the above projects via the following package dependency paths:
(1)
@abhishek-ktsu/generator-koa@1.0.2 ➔ extended-yo-generator@1.0.13 ➔ yeoman-generator@4.13.0 ➔ mem-fs-editor@7.1.0 ➔ globby@9.2.0 ➔ fast-glob@2.2.7 ➔ glob-parent@3.1.0
(2)
@alfheim/cli@0.2.9 ➔ @alfheim/generator-nef-component@0.4.5 ➔ @alfheim/generator-nef-index@0.3.3 ➔ yeoman-generator@4.13.0 ➔ mem-fs-editor@7.1.0 ➔ globby@9.2.0 ➔ fast-glob@2.2.7 ➔ glob-parent@3.1.0
(3)
@c6o/cli@0.2.5 ➔ generator-codezero-provisioner@0.0.8 ➔ generator-node@2.8.0 ➔ generator-jest@1.8.0 ➔ yeoman-generator@4.13.0 ➔ mem-fs-editor@7.1.0 ➔ globby@9.2.0 ➔ fast-glob@2.2.7 ➔ glob-parent@3.1.0
......
The projects such as extended-yo-generator, @alfheim/generator-nef-index and generator-jest etc. which introduced yeoman-generator@4.13.0, are not maintained anymore. These unmaintained packages can neither upgrade yeoman-generator nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package yeoman-generator@4.13.0?
Sorry for the inconvenience caused.
Suggested Solution
Since these unactive projects set a version constaint ~4.13.* for yeoman-generator on the above vulnerable dependency paths, if yeoman-generator removes the vulnerability from 4.13.0 and releases a new patched version yeoman-generator@4.13.1,
such a vulnerability patch can be automatically propagated into the 1,289 affected downstream projects.
In yeoman-generator@4.13.1, you can kindly try to perform the following upgrade:
mem-fs-editor ^7.0.1 ➔ 7.0.0
;Note:
mem-fs-editor@7.0.0 transitively depends on glob-parent@5.1.2 (a vulnerability CVE-2020-28469 patched version)
Thanks again for your contributions.
Sincerely yours,
Paimon
The text was updated successfully, but these errors were encountered: