Replace replace-in-file package to resolve CWE-772 in inflight

Question

Replace replace-in-file package to resolve CWE-772 in inflight

joserodriguez16 opened this issue 2 months ago · comments

replace-in-file uses glob ^8.1.0, which uses inflight which is a vulnerable package that doesn’t get updates. An issue on the replace-in-file repo has been open since March 11 of this year but the vulnerability has not been addressed. Therefore, it should be replaced. Inflight vulnerability details:

CWE-772
https://cwe.mitre.org/data/definitions/772.html

Snyk analysis
https://security.snyk.io/package/npm/inflight/1.0.6

Shahar Kazaz · Answer 1 · Wed Jul 03 2024 19:43:04 GMT+0800 (China Standard Time)

@joserodriguez16 Why was this marked as completed?

Peter Hewat · Answer 2 · Thu Jul 04 2024 18:31:26 GMT+0800 (China Standard Time)

PR #693 removed unused dependencies (including replace-in-file)

joserodriguez16 · Answer 3 · Thu Jul 04 2024 22:13:17 GMT+0800 (China Standard Time)

@joserodriguez16 Why was this marked as completed?

Sorry I should've left a comment. replace-in-file was recently updated to v8 and the vulnerability was addressed. I was going to open another issue proposing an update to the dependency

Shahar Kazaz · Answer 4 · Sun Jul 07 2024 00:25:00 GMT+0800 (China Standard Time)

@PeterHewat These dependencies are used by the schematics.

Stephanie Katterwe · Answer 5 · Mon Aug 05 2024 19:36:40 GMT+0800 (China Standard Time)

Is there anything that can be done to help out here? i suppose all that is needed is a version bump to v8 right?

Shahar Kazaz · Answer 6 · Tue Aug 06 2024 03:30:40 GMT+0800 (China Standard Time)

@skatterwe The package is now ESM which means all the schematics need an upgrade to use it.
You are welcome to open a PR for it 🙌

Stephanie Katterwe · Answer 7 · Tue Aug 06 2024 20:22:59 GMT+0800 (China Standard Time)

@shaharkazaz if you guide me a bit on what i need to take care of in your pull requests etc i can surely have a look (commit message formates, branch name policies etc)

Stephanie Katterwe · Answer 8 · Tue Aug 06 2024 21:04:59 GMT+0800 (China Standard Time)

Ah found some hints in the contributing file. i'll see what i can do :)

Stephanie Katterwe · Answer 9 · Tue Aug 06 2024 22:55:23 GMT+0800 (China Standard Time)

@shaharkazaz as what would i commit this? i initially did as feature. but that somehow feels a bit weird. so before i'll raise a PR can you please let me know as what I should commit? Do you consider a version bump a refactor or a chore change or should I stick with feature?

Shahar Kazaz · Answer 10 · Wed Aug 07 2024 02:46:22 GMT+0800 (China Standard Time)

@skatterwe hm... we can make it a fix I guess as this isn't actually adding a feature.
We need to understand if this is somehow a breaking change it might be sue to the minimum node version needed to run the schematics no?

Stephanie Katterwe · Answer 11 · Wed Aug 07 2024 17:27:33 GMT+0800 (China Standard Time)

@shaharkazaz yeah I was also wondering about the question with the breaking change. I tried linking the dist from my fork within some of my projects and it worked all fine (without any changes) but I remember too well the flat update and how that caused us to update the tests later on 😅

but is fix with a breaking change something you consider ok commit wise? feels a bit strange. just let me know what you think best, then I'll create a new branch with the commit settings you would like :)

Shahar Kazaz · Answer 12 · Wed Aug 07 2024 18:31:22 GMT+0800 (China Standard Time)

@skatterwe My suspect is the minimum node version required.
Currently, the minimum Angular version is 16 which supports node v16, I vaguely remember that you need node 18 something for the ESM support but I'm not sure. If there is a breaking change that would be it.

Regarding the commit type, let's go with feature.