New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lerna uses alternate version of npm-registry-fetch which does not include recent security fix #2670
Comments
Hi Folks 👋 You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details). Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves. In order to take this awesome project forward from its current state, it is important that we focus our finite resources on what is most important to lerna users in 2022. With that in mind, we have identified this issue as being potentially stale due to its age and/or lack of recent activity. Next steps: We want to give you some time to read through this comment and take action per one of the steps outlined below, so for the next 14 days we will not make any further updates to this issue. @keving17 as the original author of this issue, we are looking to you to update us on the latest state of this as it relates to the latest version of lerna. Please choose one of the steps below, depending on what type of issue this is:
If we do not hear from @keving17 on this thread within the next 14 days, we will automatically close this issue. If you are another user impacted by this issue but it ends up being closed as part of this process, we still want to hear from you! Please simply head over to our new issue templates and fill out all the requested details on the template which applies to your situation: https://github.com/lerna/lerna/issues/new/choose Thank you all for being a part of this awesome community, we could not be more excited to help move things forward from here 🙏 🚀 |
Hi @keving17, following on from the note above, looking at this issue specifically the relevant packages have all since been refactored/patched and there are no such audit warnings when using our latest v5 packages we released since we took over. Many thanks again! |
Expected Behavior
Lerna uses dependency
@evocateur/npm-registry-fetch
which appears to be an unmaintained version ofnpm/npm-registry-fetch
. Last monthnpm/npm-registry-fetch
released an update that resolves a security vulnerability where logs stored user credentials. Logs should not include sensitive data: https://exchange.xforce.ibmcloud.com/vulnerabilities/184667Current Behavior
Logs currently store user credentials since
@evocateur/npm-registry-fetch
has not been updated to pull in the security fix.https://github.com/evocateur/npm-registry-fetch/blob/latest/check-response.js#L34
Possible Solution
Lerna can use the original
npm/npm-registry-fetch
or needs to get@evocateur/npm-registry-fetch
to update with the security fix. Here is the PR that appears to have resolved issue fornpm/npm-registry-fetch
: npm/npm-registry-fetch#29Steps to Reproduce (for bugs)
The text was updated successfully, but these errors were encountered: