Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM Audit: Prototype pollution in async #2327

Closed
zachleat opened this issue Apr 15, 2022 · 6 comments
Closed

NPM Audit: Prototype pollution in async #2327

zachleat opened this issue Apr 15, 2022 · 6 comments
Labels
npm-audit Security audits from npm template-language: ejs

Comments

@zachleat
Copy link
Member

zachleat commented Apr 15, 2022
edited 

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install @11ty/eleventy@0.3.3, which is a breaking change
node_modules/async
node_modules/portscanner/node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @11ty/eleventy  >=0.3.4
      Depends on vulnerable versions of browser-sync
      Depends on vulnerable versions of ejs
      node_modules/@11ty/eleventy
  portscanner  0.1.1 - 2.1.1
  Depends on vulnerable versions of async
  node_modules/portscanner
    browser-sync  <=0.6.2 || >=2.0.0-rc1
    Depends on vulnerable versions of portscanner
    node_modules/browser-sync
@zachleat zachleat added the npm-audit Security audits from npm label Apr 15, 2022
@zachleat
Copy link
Member Author

Applies to both 1.x and 2.x branches, although I expect that this will be fixed upstream in a minor dependency bump.

@zachleat zachleat mentioned this issue Apr 20, 2022
Closed
@zachleat
Copy link
Member Author

zachleat commented Apr 20, 2022
edited

jakejs/jake#408 was merged and a new version was shipped.

This is now fixed on 2.x but still applicable to 1.x via the browser-sync dep.

See also this issue filed for the 2.x eleventy-server-browsersync plugin 11ty/eleventy-server-browsersync#2

@sentience
Copy link

sentience commented Apr 25, 2022
edited

Looks like portscanner@2.2.0 already allows the fix, async@2.6.4.

browser-sync@2.27.9 (latest) specifies exactly portscanner@2.1.1, so I guess that's where an issue/fix is needed.

@SphinxKnight
Copy link

SphinxKnight commented May 8, 2022
edited

On browser-sync repo, matching:

@shakyShane
Copy link

released as browser-sync@2.27.10 - thank you :)

@zachleat
Copy link
Member Author 

~/Temp/eleventy-install-may-18-2022 ᐅ npm install @11ty/eleventy           

added 322 packages, and audited 323 packages in 7s

26 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Verified, thank you @shakyShane!

@zachleat zachleat modified the milestone: Eleventy 1.0.2 May 18, 2022
@zachleat zachleat mentioned this issue May 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
npm-audit Security audits from npm template-language: ejs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zachleat @sentience @shakyShane @SphinxKnight