Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@docusaurus/core@2.2.0 depends on a deep dependency got@9.6.0 which is a vulnerable version #8277

Closed
5 of 7 tasks
xnivaxhzne opened this issue Nov 2, 2022 · 3 comments · Fixed by #8660
Closed
5 of 7 tasks

@docusaurus/core@2.2.0 depends on a deep dependency got@9.6.0 which is a vulnerable version #8277

xnivaxhzne opened this issue Nov 2, 2022 · 3 comments · Fixed by #8660
Labels
bug An error in the Docusaurus core causing instability or issues with its execution

Comments

@xnivaxhzne
Copy link

Have you read the Contributing Guidelines on issues?

Prerequisites

  • I'm using the latest version of Docusaurus.
  • I have tried the npm run clear or yarn clear command.
  • I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
  • I have tried creating a repro with https://new.docusaurus.io.
  • I have read the console error message carefully (if applicable).

Description

@docusaurus/core@2.2.0 depends on a deep dependency got@9.6.0 which is a vulnerable version

Dependency Map:

@docusaurus/core@2.2.0
  └─┬ update-notifier@5.1.0
    └─┬ latest-version@5.1.0
      └─┬ package-json@6.5.0
        └── got@9.6.0

Observations:

got@11.8.5 and above are the bug free ones
package-json@8.0.0 and above contains the above got package version
latest-version@7.0.0 and above contains the above package-json package version
update-notifier@6.0.1 and above contains the above latest-version package version
But, @docusaurus/core@2.2.0 contains only the update-notifier@5.1.0 which has vulnerable got.

Useful Links:

https://www.npmjs.com/package/got
https://nvd.nist.gov/vuln/detail/CVE-2022-33987

Reproducible demo

No response

Steps to reproduce

Run npm ls got

You will get

@docusaurus/core@2.2.0
  └─┬ update-notifier@5.1.0
    └─┬ latest-version@5.1.0
      └─┬ package-json@6.5.0
        └── got@9.6.0

Here, got@9.6.0 is a vulnerable version.

Expected behavior

@docusaurus/core should use at least update-notifier@6.0.1 which is having non vulnerable got

Actual behavior

@docusaurus/core is using update-notifier@5.1.0 which is having vulnerable version of got@9.6.0

Your environment

  • Docusaurus version used: 2.2.0
  • Environment name and version (e.g. Chrome 106.0.5249.119, Node.js 16.17.0):
  • Operating system and version (e.g. Mac OS Monterey 12.5.1):

Self-service

  • I'd be willing to fix this bug myself.
@xnivaxhzne xnivaxhzne added bug An error in the Docusaurus core causing instability or issues with its execution status: needs triage This issue has not been triaged by maintainers labels Nov 2, 2022
@slorber slorber removed the status: needs triage This issue has not been triaged by maintainers label Nov 2, 2022
@slorber
Copy link
Collaborator

slorber commented Nov 2, 2022
edited

Thanks for reporting

After taking a look, it's unlikely to cause any security trouble in Docusaurus, but we'll upgrade to v6.0 someday (ESM)

See also

We could as well do like nodemon and start using a simpler/lighter lib, see remy/nodemon#2033

@slorber slorber added closed: please-fix-this-cve This issue is asking for fixing a CVE in a build-only dep which doesn't pose any real threat. and removed closed: please-fix-this-cve This issue is asking for fixing a CVE in a build-only dep which doesn't pose any real threat. labels Nov 2, 2022
@whoisclebs
Copy link

Just an update for those who are a little bothered by the vulnerability alert like me. You can overwrite in your package.json the dependencies that are vulnerable, for example:

 "overrides":{ 
   "trim": "^0.0.3", 
   "got": "^11.8.5" 
 }

https://github.com/clebsonf/ld.health/blob/1e9831fc73ce1696eaeff88adc3ed05262911b63/docs/package.json#L43-L46

@tconbeer
Copy link

tconbeer commented Nov 8, 2022

With yarn, it's "resolutions" instead of "overrides". Otherwise @clebsonf's workaround works great.

@tconbeer tconbeer mentioned this issue Nov 8, 2022
Merged
@whoisclebs whoisclebs mentioned this issue Nov 9, 2022
Closed
3 tasks
dylmye added a commit to dylmye/mui-google-places-autocomplete that referenced this issue Jan 22, 2023
@dylmye
fix vuln false positives - facebook/docusaurus#8277
1c9be49
@scottolsonjr scottolsonjr mentioned this issue Jan 29, 2023
Merged
@layershifter layershifter mentioned this issue Feb 13, 2023
Merged
slorber pushed a commit that referenced this issue Feb 17, 2023
@layershifter
chore: bump update-notifier (#8660)
d98edcd 
Co-authored-by: sebastienlorber <lorber.sebastien@gmail.com>
Fixes #8277
@WikiRik WikiRik mentioned this issue Jul 19, 2023
Closed
3 tasks
@xoxys xoxys mentioned this issue Aug 1, 2023
Merged
@inFocus7 inFocus7 mentioned this issue Sep 1, 2023
Merged
@sip49 sip49 mentioned this issue Sep 2, 2023
Merged
@hexsecs hexsecs mentioned this issue Oct 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug An error in the Docusaurus core causing instability or issues with its execution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: bump update-notifier layershifter/docusaurus
4 participants
@tconbeer @slorber @xnivaxhzne @whoisclebs