Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25 #3245

Closed
AlexWinder opened this issue Apr 13, 2022 · 10 comments
Closed

Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25 #3245

AlexWinder opened this issue Apr 13, 2022 · 10 comments
Labels
dependencies

Comments

@AlexWinder
Copy link

AlexWinder commented Apr 13, 2022
edited

  • Laravel Mix Version: 6.0.43 (npm list --depth=0)
  • Node Version (node -v): 16.14.2
  • NPM Version (npm -v): 8.5.0
  • OS: Ubuntu 20.04.4 LTS (Focal Fossa)

Description:

When running npm audit warnings are given about async in the upstream webpack-dev-server and portfinder.

Steps To Reproduce:

Run npm audit.

# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
No fix available
node_modules/async
  portfinder  0.1.0 || >=0.4.0
  Depends on vulnerable versions of async
  node_modules/portfinder
    webpack-dev-server  >=2.0.0-beta
    Depends on vulnerable versions of portfinder
    node_modules/webpack-dev-server
      laravel-mix  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/laravel-mix

4 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.
@thecrypticace
Copy link
Collaborator

The possible fix for this is being tracked here: caolan/async#1828

Not on us but I'll leave this open for the time being

@AlexWinder
Copy link
Author

Thanks @thecrypticace

@arborrow
Copy link

arborrow commented Apr 14, 2022
edited

Looks like the patch for the security issue was backported and now available in 2.6.4. So while the npm audit is still showing it as vulnerable, 2.6.4 is patched and we can probably close this issue.

@inspiraller
Copy link

Any temporary solution to this?

@GiorgiaBoniniEstar
Copy link

GiorgiaBoniniEstar commented Apr 14, 2022
edited

Any temporary solution to this?

I don't know if it can help but I've modified temporarily package.json in my Laravel Project, in this way:

"overrides": {
        "webpack-dev-server": {
            "portfinder": {
                "async": ">3.2.2"
            }
        }
    }

(not mine temporary solution!)

@arborrow
Copy link

@inspiraller just run an upgrade and you will get the updated and patched 2.6.4 version

@arborrow
Copy link

@GiorgiaBoniniEstar my understanding was that the 3.x version introduced breaking changes so folks are better sticking with the 2.x branch

@inspiraller
Copy link

@arborrow - I'm already using "webpack-dev-server": "4.8.1" - latest version

@GiorgiaBoniniEstar
Copy link

GiorgiaBoniniEstar commented Apr 14, 2022
edited

@GiorgiaBoniniEstar my understanding was that the 3.x version introduced breaking changes so folks are better sticking with the 2.x branch

yep, the version is only an example and this is absolutely temporary, I've just changed from ">3.2.2" to "">=2.6.4"" and it works like a charm

@thecrypticace
Copy link
Collaborator

Given that a fix has been released I'm closing this. Running npm upgrade will upgrade async (it upgrades all dependencies in your tree — not just direct dependencies). All we can do now is wait for npm's advisory database to be updated to reflect that 2.6.4 is not vulnerable.

Screen Shot 2022-04-14 at 07 27 59

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@arborrow @thecrypticace @inspiraller @AlexWinder @GiorgiaBoniniEstar