Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

moderate advisory in dependency #2023

Closed
newhouse opened this issue Jun 22, 2022 · 8 comments
Closed

moderate advisory in dependency #2023

newhouse opened this issue Jun 22, 2022 · 8 comments

Comments

@newhouse
Copy link

I am on nodemon v2.0.16 and yarn audit tells me that there's a vuln in one of the dependencies:

GHSA-pfrx-2q88-qq97

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Got allows a redirect to a UNIX socket                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ got                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=11.8.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > update-notifier > latest-version > package-json >  │
│               │ got                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1075647                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

I have no clue if update-notifiier and the rest of the tree-on-down have updated to fix this...but when they do it'd be great if you could update this!

Thanks for the great library!

@danepowell
Copy link

danepowell commented Jun 22, 2022

Here's the problem: yeoman/update-notifier#218

update-notifier needs to update its dependency on latest-version in order to fix this, but it seems somewhat unlikely to happen given the lack of development (last commit over a year ago) and lack of response to similar issues (yeoman/update-notifier#216, yeoman/update-notifier#214)

Seems like the real solution here is to replace update-notifier: #1961

@gaborszita
Copy link
Contributor

This should've been fixed by v6.0.0 of update-notifier (released about 40 minutes ago), so please update nodemon's update-notifier dependency to v6.0.0.
yeoman/update-notifier#218
yeoman/update-notifier@9183541
https://github.com/yeoman/update-notifier/releases/tag/v6.0.0

@gaborszita
Copy link
Contributor

gaborszita commented Jun 23, 2022

I created a pull request for this, it should fix it.
#2029

@remy
Copy link
Owner

remy commented Jun 23, 2022

releasing now.

@remy remy closed this as completed Jun 23, 2022
@lorand-horvath
Copy link

lorand-horvath commented Jun 23, 2022

Just wanted to mention a directly related issue I opened regarding the vulnerability in the got package sindresorhus/got#2067

Thanks @gaborszita and @remy !
Ouch, I see you had to revert 1b3bc8c
Is there another solution?

@remy
Copy link
Owner

remy commented Jun 23, 2022

Had to revert as it borked installs. The next release, I hope, will remove update-notifier as it keeps bringing in issues.

@francisdb
Copy link

@remy is there an open related issue/pr we can track?

@gaborszita
Copy link
Contributor

@remy is there an open related issue/pr we can track?

This project plans to drop update-notifier and there is an open issue for it #1961. I think updates will go there.

crabbit-git added a commit to crabbit-git/dinopedia that referenced this issue Jul 3, 2022
In the server, nodemon v5.0.16 was depending on update-notifier v5.1, which has got v9.6 - which has a vulnerability - in its dependency chain. This was reportedly corrected in update-notifier v6, released very recently, but this still isn't included in nodemon v5.0.18 so manually changed dependency to update-notifier v6, which has removed the vulnerability and associated warning. See remy/nodemon#2023 for more info.

In the client, react-scripts had a vulnerability in dependency nth-check v1.0.2. Apparently it's sufficient to move react-scripts to devDependencies (facebook/create-react-app#11174) but I'm not sure if this will appease Dependabot. If not, I'll likely try manually updating the nth-check version in the dependency chain to see if that fixes the issue without breaking anything.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants