Address vulnerable dependency: Semver < 7.5.2
invariants opened this issue · comments
Please update all dependencies to semver
to at least 7.5.2
. to address CVE-2022-25883.
#904 is related to this
If you have difficulties understanding my language, I recommend using a translator
PROBLEMAS DE DEPENDÊNCIAS
# npm audit report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install @commitlint/cli@8.2.0, which is a breaking change
node_modules/read-pkg/node_modules/semver
normalize-package-data <=2.5.0
Depends on vulnerable versions of semver
node_modules/read-pkg/node_modules/normalize-package-data
read-pkg <=5.2.0
Depends on vulnerable versions of normalize-package-data
node_modules/read-pkg
read-pkg-up <=7.0.1
Depends on vulnerable versions of read-pkg
node_modules/read-pkg-up
meow 3.4.0 - 9.0.0
Depends on vulnerable versions of read-pkg-up
node_modules/meow
conventional-commits-parser >=2.1.5
Depends on vulnerable versions of meow
node_modules/conventional-commits-parser
@commitlint/parse >=8.3.0
Depends on vulnerable versions of conventional-commits-parser
node_modules/@commitlint/parse
@commitlint/lint >=8.3.0
Depends on vulnerable versions of @commitlint/parse
node_modules/@commitlint/lint
git-raw-commits >=1.3.4
Depends on vulnerable versions of meow
node_modules/git-raw-commits
@commitlint/read >=8.3.0
Depends on vulnerable versions of git-raw-commits
node_modules/@commitlint/read
@commitlint/cli >=8.3.0
Depends on vulnerable versions of @commitlint/lint
Depends on vulnerable versions of @commitlint/read
node_modules/@commitlint/cli
11 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
De todos as dependências listadas em meu Prompt, eu realizei uma consulta bastante manual para encontrar onde estava realmente o problema de versionamento.
No momento da publicação dessa mensagem, as versões dos pacotes listados abaixo são:
- semver cuja versão vigente é
7.5.3
estando acima da7.5.2
. Portanto, sua situação é OK; - normalize-package-data cuja versão é
5.0.0
, sendo acima da<=2.5.0
, mas utiliza a versãosemver@^7.3.5
. O npm é capaz de resolver esse problema e atualizar a dependência para a versão atual. Portanto, a situação é OK; - read-pkg está na versão
8.0.0
, sendo acima de<=5.2.0
e a versão mais recente utilizanormalize-package-data@^5.0.0
. Portanto, sua situação é OK; - read-pkg-up está na versão
9.1.0
sendo acima de<=7.0.1
e utilizaread-pkg@^7.1.0
que, por sua vez, está acima de<=5.2.0
, mas não é a mais recente. Por tanto, sua situação é PARCIAL; - meow está na versão
12.0.1
, sendo fora do intervalo3.4.0 - 9.0.0
, e utilizanormalize-package-data^5.0.0
+read-pkg-up^9.1.0
. Portanto, está OK - conventional-commits-parser está na versão
4.0.0
, mas utiliza a dependênciameow@^8.1.2
. Portanto, sua situação é RUIM
CONCLUSÃO
Por favor, faça um commit atualizando, pelo menos, a dependência meow
do pacote conventional-commits-parser
para a versão mais recente possível.
#904 is related to this
It's not just related to that PR, there's also a transitive dependency that is very old which is read-pkg
, it should be updated to v5.2.0 which is the last version that is non-ESM
@release-it/conventional-changelog@7.0.0 requires semver@2 || 3 || 4 || 5 via a transitive dependency on normalize-package-data@2.5.0
The issue is read-pkg@3.0.0
requires normalize-package-data@2.3.2
which requires semver@2 || 3 || 4 || 5
you can see below where read-pkg
is being used, and that dependency should be updated as it is very old
you can see below where
read-pkg
is being used, and that dependency should be updated as it is very old
@dangreen are there any plans to update some of these super old dependencies in conventional-changelog? I see that #904 was merged but read-pkg
is still a problem. It would be nice to have a fix instead of us having to patch semver to a newer version on our own (I do mine via yarn resolution
, but it would be nice to not have to).
Related PRs
However, these PRs are failing (unit tests) because the PRs are trying to upgrade to recent version which are now ESM only, a working solution would be to upgrade read-pkg
to v5.2.0 which is the last version before ESM only arrived. Upgrading read-pkg
would most certainly help to close some CVE reported issues, it would also close this opened issue
@dangreen I think the release is missing to fix the vulnerability?
conventional-changelog@4.0.0
└─┬ conventional-changelog-core@5.0.2
└─┬ conventional-changelog-writer@6.0.1
└── semver@7.5.1
conventional-changelog-writer@6.0.1
package.json says it using 7.5.2 already.
Wondering why you still get 7.5.1
@escapedcat conventional-changelog-writer@6.0.1
was released on July 9th while the package.json was updated to use 7.5.2 on July 10th.
We need new releases for all packages to fix this vulnerability once and for all.
@dangreen any way we could have a new release for conventional-changelog-writer
, conventional-changelog-core
and conventional-changelog
to fix the vulnerability once and for all?