Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency url-signature using a version of crypto-js with critical vulnerability #1104

Closed
elrond30 opened this issue Dec 5, 2023 · 6 comments
Closed

Dependency url-signature using a version of crypto-js with critical vulnerability #1104

elrond30 opened this issue Dec 5, 2023 · 6 comments
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@elrond30
Copy link

elrond30 commented Dec 5, 2023

Hi, looks like the package.json is using url-signature 1.0.4, which use a version of crypto-js with critical vulnerability. There is an opened issue in js-url-signature with a Pull Request, to update crypto-js version and solve the vulnerability.

googlemaps/js-url-signature#446

Thanks.
@elrond30 elrond30 added triage me I really want to be triaged. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Dec 5, 2023
@wangela
Copy link
Member

wangela commented Dec 5, 2023

If you would like to upvote the priority of this issue, please comment below or react on the original post above with 👍 so we can see what is popular when we triage.

@elrond30 Thank you for opening this issue. 🙏
Please check out these other resources that might help you get to a resolution in the meantime:

This is an automated message, feel free to ignore.

@wangela
Copy link
Member

wangela commented Dec 6, 2023

v1.0.30 of js-url-signature has been released with the updated dependency. We'll need to update the dependency in this library to pull that in.

@wangela wangela added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. and removed triage me I really want to be triaged. labels Dec 6, 2023
@wangela
Copy link
Member

wangela commented Dec 6, 2023

@usefulthink after you merge #1046, could you update this dependency? Causing a CVE.

@wangela
Copy link
Member

wangela commented Dec 12, 2023

Since the dependency range in the current package.json includes minor and patch releases of js-url-signature at or above v1.0.4, this library now will pull in v1.0.30 without any changes required (may require an npm audit fix for existing projects). Lowering priority to update the listed dependency at next sensible update.

@wangela wangela added priority: p2 Moderately-important priority. Fix may not be included in next release. and removed priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Dec 12, 2023
@wangela wangela mentioned this issue Dec 12, 2023
Merged
@wangela
Copy link
Member

wangela commented Dec 12, 2023

Fixed by #1110

@wangela wangela closed this as completed Dec 12, 2023
@elrond30
Copy link
Author

elrond30 commented Jan 5, 2024

Thank you for the fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wangela @elrond30