Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for CVE-2022-25883 #136

Merged
merged 2 commits into from
Jun 23, 2023
Merged

Fix for CVE-2022-25883 #136

merged 2 commits into from
Jun 23, 2023

Conversation

frankhinek
Copy link
Contributor

This PR is primarily to address:

  • CVE-2022-25883 - semver vulnerable to Regular Expression Denial of Service

which surfaced in this PR.

npm audit fix proposed solution is to downgrade to c8 v5.0.2 released on June 23, 2019:

❯ npm audit
# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install c8@5.0.2, which is a breaking change
node_modules/make-dir/node_modules/semver
node_modules/semver
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/make-dir
    istanbul-lib-report  >=2.0.5
    Depends on vulnerable versions of make-dir
    node_modules/istanbul-lib-report
      c8  >=5.0.3
      Depends on vulnerable versions of istanbul-lib-report
      Depends on vulnerable versions of istanbul-reports
      node_modules/c8
      istanbul-reports  >=3.0.0-alpha.0
      Depends on vulnerable versions of istanbul-lib-report
      node_modules/istanbul-reports

5 moderate severity vulnerabilities

An attempt was made to manually override the version of semver to v7.5.3 which fixes the vulnerability but due to apparent bugs in npm's overrides feature, it ignores the specified overrides. Over a dozen additional permutations were attempted to override the c8 dependencies that introduce this vulnerability (instanbul-lib-report, make-dir), but those overrides were ignored by npm as well. While not this specific issue, there are multiple reported bugs (4942, 4834, 5850) with NPM's overrides feature which have not been addressed in over a year.

Given that the issue will continue to block future PRs due to the failing security audit and lack of certainty about when NPM overrides will work properly, the workaround was to patch package-lock.json until new versions of the c8 and instanbul-lib-report are published. The semver and make-dir projects were patched in the past 48 hours.

Issue #135 was created to track when we can stop manually patching package-lock.json.

This PR also opportunistically improves the ESLint rules for switch to indent case: statements

@frankhinek
Manually patch package-lock.json for CVE-2022-25883
5997538 
Signed-off-by: Frank Hinek <frankhinek@users.noreply.github.com>
@frankhinek
Opportunistically improve ESLint rules for switch case indentation
760fc73 
Signed-off-by: Frank Hinek <frankhinek@users.noreply.github.com>
@frankhinek frankhinek self-assigned this Jun 23, 2023
@frankhinek frankhinek added the security Security issue label Jun 23, 2023
@frankhinek frankhinek merged commit 763c157 into main Jun 23, 2023
@frankhinek frankhinek deleted the CVE-2022-25883 branch June 23, 2023 14:55
@frankhinek frankhinek mentioned this pull request Jun 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mistermoe mistermoe mistermoe approved these changes

@csuwildcat csuwildcat Awaiting requested review from csuwildcat csuwildcat is a code owner

Assignees

@frankhinek frankhinek

Labels
security Security issue
Projects
Web5 Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@frankhinek @mistermoe