Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could you help remove the vulnerabilities introduced in your package? #794

Closed
paimon0715 opened this issue Jul 23, 2021 · 1 comment
Closed

Could you help remove the vulnerabilities introduced in your package? #794

paimon0715 opened this issue Jul 23, 2021 · 1 comment

Comments

@paimon0715
Copy link

Hi, @webpro, there are two vulnerabilities introduced in your package release-it:

Issue Description

Vulnerabilities CVE-2020-28500 and CVE-2021-23337 are detected in package lodash<4.17.21 and lodash@4.17.20 is directly referenced by release-it@13.7.1. We noticed that the vulnerabilities has been removed since release-it@14.5.0.

However, release-it's popular previous version release-it@13.7.1 (13,881 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 68 downstream projects, e.g., vue-cli-plugin-vuetify-preset-kidsloop 0.3.0, cc-flow 13.15.0, nxpm 1.18.0, loql-marketplace 1.0.4, @syman/ark-mobile-cli 1.0.5, loql-marketplace@1.0.4, etc.).
As such, issues CVE-2020-28500 and CVE-2021-23337 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade release-it from version 13.7.1 to (>=14.5.0). For instance, release-it@13.7.1 is introduced into the above projects via the following package dependency paths:
(1)loql-marketplace@1.0.4 ➔ @crystallize/node-vipps@0.1.4 ➔ release-it@13.7.1 ➔ lodash@4.17.20
......

The projects such as @crystallize/node-vipps, which introduced release-it@13.7.1, are not maintained anymore. These unmaintained packages can neither upgrade release-it nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerabilities from package release-it@13.7.1?

Suggested Solution

Since these inactive projects set a version constaint 13.7.* for release-it on the above vulnerable dependency paths, if release-it removes the vulnerabilities from 13.7.1 and releases a new patched version release-it@13.7.2, such a vulnerability patch can be automatically propagated into the 68 affected downstream projects.

In release-it@13.7.2, you can kindly try to perform the following upgrade:
lodash 4.17.20 ➔ 4.17.21;
Note:
lodash@4.17.21(>=4.17.21) has fixed the vulnerabilities (CVE-2020-28500 and CVE-2021-23337)

Thank you for your contributions.

Best regards,
Paimon
webpro added a commit that referenced this issue Jul 23, 2021
@webpro
Update dependencies (fixes #794)
03add7a
@webpro
Copy link
Collaborator

webpro commented Jul 23, 2021

Thanks for the report, @paimon0715. See https://github.com/release-it/release-it/releases/tag/13.7.2

@webpro webpro closed this as completed Jul 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webpro @paimon0715