Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

normalize-url v3 is vulnerable #19

Closed
andreainnocenti opened this issue May 27, 2021 · 8 comments · Fixed by #30
Closed

normalize-url v3 is vulnerable #19

andreainnocenti opened this issue May 27, 2021 · 8 comments · Fixed by #30

Comments

@andreainnocenti
Copy link
Contributor

https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539

Please upgrade normalize-url to version 6.0.1, 5.3.1, 4.5.1 or higher.
@andreainnocenti andreainnocenti mentioned this issue May 28, 2021
Merged
@lykims lykims mentioned this issue Jun 9, 2021
Closed
@rkesters rkesters mentioned this issue Jun 27, 2021
Closed
@PatrykMilewski
Copy link

Hey! Any chance to release a fix?

@develth
Copy link

develth commented Jun 29, 2021

Release of updatd normalize-url would be nice. Thanks!

@IonicaBizau
Copy link
Owner

I am on this. Sorry for the delay... I will release a major update since normalize-url doesn't seem to be compatible with Safari.

@PatrykMilewski
Copy link

But the vulnarability is fixed for "normalize-url": "4.5.1", so can't it be just updated from 4.5.0 to 4.5.1?

@PatrykMilewski
Copy link 

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ normalize-url                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/version > @lerna/github-client >              │
│               │ git-url-parse > git-up > parse-url > normalize-url           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1755                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

@IonicaBizau IonicaBizau mentioned this issue Jun 29, 2021
Merged
@develth
Copy link

develth commented Jun 29, 2021

Is it possible to get a 5.0.7 with 4.5.1, so the packages using this package will get the fixed version?

@IonicaBizau
Copy link
Owner

@develth Good idea! Just published 5.0.7 requiring normalize-url@4.5.1. Thanks!

@develth
Copy link

develth commented Jun 29, 2021

Merci @IonicaBizau !

@lykims lykims mentioned this issue Jun 29, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

parse-url 6.0.0 IonicaBizau/parse-url
Update normalize-url version rkesters/parse-url
4 participants
@IonicaBizau @develth @PatrykMilewski @andreainnocenti