Skip to content

npm-run-all is reported as having a moderate severity vulnerabilty #257

New issue
New issue
Open
#258
Open
npm-run-all is reported as having a moderate severity vulnerabilty#257
#258
@mind-bending-forks

Description

@mind-bending-forks
mind-bending-forks
opened on Jun 23, 2023

As of today (23 June 2023), running npm audit on a project that uses npm-run-all results in the following audit report:

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install npm-run-all@4.1.2, which is a breaking change
node_modules/semver
  cross-spawn  6.0.0 - 6.0.5
  Depends on vulnerable versions of semver
  node_modules/cross-spawn
    npm-run-all  >=1.8.0
    Depends on vulnerable versions of cross-spawn
    Depends on vulnerable versions of read-pkg
    node_modules/npm-run-all
  normalize-package-data  <=2.5.0
  Depends on vulnerable versions of semver
  node_modules/normalize-package-data
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/read-pkg

The vulnerability is arising from npm-run-all's dependency on the semver package, which is reported as being vulnerable to Regular Expression Denial of Service: GHSA-c2qf-rxjj-qqgw

Trying npm audit fix --force does not work, at least not for me.

A fix for semver is available: https://github.com/npm/node-semver/releases/tag/v7.5.3

Please update npm-run-all's dependency tree to address this vulnerability.

Activity

paulcdejean
linked a pull request that will close this issue on Jun 25, 2023
jamesst20

jamesst20 commented on Jun 26, 2023

@jamesst20
jamesst20
on Jun 26, 2023

You may want to check https://github.com/bcomnes/npm-run-all2 which is a newer, up to date fork.

langthiennhai

langthiennhai commented on Jul 3, 2023

@langthiennhai
langthiennhai
on Jul 3, 2023

You may want to check https://github.com/bcomnes/npm-run-all2 which is a newer, up to date fork.

npm-run-all2 also gives the same error npm-run-all

jamesst20

jamesst20 commented on Jul 4, 2023

@jamesst20
jamesst20
on Jul 4, 2023

You may want to check https://github.com/bcomnes/npm-run-all2 which is a newer, up to date fork.

npm-run-all2 also gives the same error npm-run-all

Install only one at the time. Install npm-run-all2 and run the command without the number 2

langthiennhai

langthiennhai commented on Jul 4, 2023

@langthiennhai
langthiennhai
on Jul 4, 2023

You may want to check https://github.com/bcomnes/npm-run-all2 which is a newer, up to date fork.

npm-run-all2 also gives the same error npm-run-all

Install only one at the time. Install npm-run-all2 and run the command without the number 2

run npm-run-all2 with no errors. But there is an audit error

npm audit report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/eslint-plugin-import/node_modules/semver
node_modules/semver
eslint-plugin-import >=2.27.4
Depends on vulnerable versions of semver
node_modules/eslint-plugin-import
normalize-package-data <=2.5.0
Depends on vulnerable versions of semver
node_modules/normalize-package-data
read-pkg <=5.2.0
Depends on vulnerable versions of normalize-package-data
node_modules/read-pkg
npm-run-all2 *
Depends on vulnerable versions of read-pkg
node_modules/npm-run-all2

tksst
mentioned this on Jan 4, 2024
OndraM
mentioned this on Aug 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @jamesst20@langthiennhai@mind-bending-forks

      Issue actions
        npm-run-all is reported as having a moderate severity vulnerabilty · Issue #257 · mysticatea/npm-run-all