-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in ecstatic dependency #619
Comments
Just ran into this. My workaround for now is to switch my projects over to use |
I switched over to using Express with its static serving middleware for now. It's not that much more difficult to use than this library when using it programatically. I'll have to find something else for a quick server from the command line though. I got really used to adding The creator of |
I am surprised that this is not deployed after more than two week. I switched to https://github.com/RIAEvangelist/node-http-server instead and the vulnerability issue was gone. |
@hata6502 , ecstatic is not part of our dependencies. It's used internally by the http-server package. We have not control over it so we can't upgrade it. |
The vulnerable and no longer maintained ecstatic is still a dependency of http-server. Is http-server itself still maintained? |
Yes. It’s still maintained |
ecstatic is a direct dependency for Line 87 in d7bce39
As per package-lock.json, ecstatic@3.3.2 is used Lines 914 to 924 in d7bce39
As per GitHub advisory for CVE-2019-10775, there is no patched version available for ecstatic The dep ecstatic is no longer maintained, as per jfhbrook/node-ecstatic#259 |
Question for @thornjad who is the most active contributor for http-server, and have published recent releases: The CVE-2019-10775 was fixed in ecstatic@v4.1.4 jfhbrook/node-ecstatic#266 |
There's a PR #631 to absorb the functionality in ecstatic. If that is what we're waiting for, can we get a version bump in the interim? Remediation: Upgrade to ecstatic@4.1.4. The PR below bumps the version. Someone who understands ecstatic and vows can probably get the tests to pass in a matter of minutes. |
FWIW, you may be able to force the resolution in the interim. Forcing the version results in AddendumThe library does change the ecstatic version, but then http-server doesn't work. Cool trick, though. |
Sometimes it's useful to be able to quickly start up a web server to serve files from the current directory. That's what `serve` does. I've also used `http-server` in the past, which is the same sort of thing but seems to have a major dependency that's no longer maintained [1], so `serve` seems like a better bet. `ngrok` can also do this [2], but it's fiddlier than just typing `serve` [1] http-party/http-server#619 [2] https://ngrok.com/docs#http-file-urls
Is this whole project still deserving to be called maintained at all, if it can not absorb a very critical security patch from a core dependency lib? |
Duplicate of #518 |
There is a moderate security vulnerability with ecstatic and ecstatic is no longer maintained
https://snyk.io/vuln/SNYK-JS-ECSTATIC-540354
The text was updated successfully, but these errors were encountered: