You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, @thornjad@zbynek, there is a high severity vulnerability introduced in your package http-server:
Issue Description
A vulnerability CVE-2017-1000048 detected in package qs(<6.0.4,>=6.1.0 <6.1.2,>=6.2.0 <6.2.3,>=6.3.0 <6.3.2) is transitively referenced by http-server@0.11.1. We noticed that such a vulnerability has been removed since http-server@0.12.0.
However, http-server's popular previous version http-server@0.11.1. (90,689 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 247 downstream projects, e.g., quiz-react-sdk 17.14.0, quiz-presets 17.14.0, @instructure/ui-scripts 8.6.0, @instructure/quiz-number-input 17.14.0, @instructure/quiz-taking 17.14.0, @yuuvis/project@2.0.2, etc.).
As such, issue CVE-2017-1000048 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade http-server from version 0.11.1 to (>=0.12.0). For instance, http-server@0.11.1 is introduced into the above projects via the following package dependency paths:
(1)@yuuvis/project@2.0.2 ➔ @eo-sdk/proxy@1.0.5 ➔ http-server@0.11.1 ➔ union@0.4.6 ➔ qs@2.3.3 ......
The projects such as @eo-sdk/proxy, which introduced http-server@0.11.1, are not maintained anymore. These unmaintained packages can neither upgrade http-server nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package http-server@0.11.1?
Suggested Solution
Since these unactive projects set a version constaint 0.11.* for http-server on the above vulnerable dependency paths, if http-server removes the vulnerability from 0.11.1 and releases a new patched version http-server@0.11.2, such a vulnerability patch can be automatically propagated into the 247 affected downstream projects.
In http-server@0.11.2, you can kindly try to perform the following upgrade: union ~0.4.3 ➔ ~0.5.0; Note: union@0.5.0(>=0.5.0) directly depends on qs@6.10.1 (a vulnerability CVE-2017-1000048 patched version)
Thank you for your help.
Best regards,
Paimon
The text was updated successfully, but these errors were encountered:
I'll leave this one to @thornjad since I'm just a contributor
90,689 downloads per week
Just out of curiosity, do you have any data on how many of those are direct downloads (0.11 stored in package-lock, bash script containing npx http-server@0.11 etc) and how many are through dependencies? The example https://www.npmjs.com/package/@eo-sdk/proxy has 27 downloads per week, instructure packages have over 1000, but some of them seem to be updated already.
I can't guarantee that other projects can all upgrade to a 0.11.2 patch, but a backport is definitely something I'm willing to do. It shouldn't be a hassle, but those are famous last words.
Hi, @thornjad @zbynek, there is a high severity vulnerability introduced in your package http-server:
Issue Description
A vulnerability CVE-2017-1000048 detected in package qs(<6.0.4,>=6.1.0 <6.1.2,>=6.2.0 <6.2.3,>=6.3.0 <6.3.2) is transitively referenced by http-server@0.11.1. We noticed that such a vulnerability has been removed since http-server@0.12.0.
However, http-server's popular previous version http-server@0.11.1. (90,689 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 247 downstream projects, e.g., quiz-react-sdk 17.14.0, quiz-presets 17.14.0, @instructure/ui-scripts 8.6.0, @instructure/quiz-number-input 17.14.0, @instructure/quiz-taking 17.14.0, @yuuvis/project@2.0.2, etc.).
As such, issue CVE-2017-1000048 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade http-server from version 0.11.1 to (>=0.12.0). For instance, http-server@0.11.1 is introduced into the above projects via the following package dependency paths:
(1)
@yuuvis/project@2.0.2 ➔ @eo-sdk/proxy@1.0.5 ➔ http-server@0.11.1 ➔ union@0.4.6 ➔ qs@2.3.3
......
The projects such as @eo-sdk/proxy, which introduced http-server@0.11.1, are not maintained anymore. These unmaintained packages can neither upgrade http-server nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package http-server@0.11.1?
Suggested Solution
Since these unactive projects set a version constaint 0.11.* for http-server on the above vulnerable dependency paths, if http-server removes the vulnerability from 0.11.1 and releases a new patched version http-server@0.11.2, such a vulnerability patch can be automatically propagated into the 247 affected downstream projects.
In http-server@0.11.2, you can kindly try to perform the following upgrade:
union ~0.4.3 ➔ ~0.5.0
;Note:
union@0.5.0(>=0.5.0) directly depends on qs@6.10.1 (a vulnerability CVE-2017-1000048 patched version)
Thank you for your help.
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: