Update package-json to >=8.0.0 for vulnerability in got >= 12.0.0, < 12.1.0, < 11.8.5

[imutkarshpatil]

Environment

• nodemon -v: 2.0.15
• node -v: v14.18.1
• Operating system/terminal environment: macOS 12.5

Issue

nodemon@2.0.15 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0

• Vulnerabilty: The got package before 12.1.0 for Node.js allows a redirect to a UNIX socket.
• Affected Versions: >= 12.0.0, < 12.1.0, < 11.8.5
• Patched versions: 12.1.0, 11.8.5
• References
  • GHSA-pfrx-2q88-qq97
  • https://nvd.nist.gov/vuln/detail/CVE-2022-33987
  • Disable redirects to UNIX sockets sindresorhus/got#2047
  • sindresorhus/got@v12.0.3...v12.1.0
  • sindresorhus/got@861ccd9
  • https://github.com/sindresorhus/got/releases/tag/v11.8.5
  • https://github.com/sindresorhus/got/releases/tag/v12.1.0

Possible fix

• Upgrade dependency version of package-json to >=8.0.0 as it points to fixed dependency for got >12.1.0

[gaborszita]

Duplicate of: #2023

[remy]

Releasing now.

[kevinswarner]

I am not sure this was resolved. When I install the latest nodemon, and then run an audit, I get the following results...

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Got allows a redirect to a UNIX socket                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ got                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=11.8.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > update-notifier > latest-version > package-json >  │
│               │ got                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-pfrx-2q88-qq97            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 1474 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Perhaps I did not update nodemon correctly?

Thanks!

[gaborszita]

@kevinswarner Can you show me your package.json and package-lock.json files? I can setup a project with these files on my computer and check if I get the same error.

[remy]

Had to revert, it borked people's install.

[kevinswarner]

Here are my deps and dev deps. I deleted my lock file and reinstalled, but got the same result.

"dependencies": {
    "@aws-sdk/client-dynamodb": "^3.21.0",
    "@aws-sdk/client-s3": "^3.23.0",
    "@aws-sdk/lib-storage": "^3.32.0",
    "@aws-sdk/s3-request-presigner": "^3.81.0",
    "@aws-sdk/util-dynamodb": "^3.21.0",
    "@digital-u/digital-university-models": "0.2.29",
    "@digital-u/digital-university-vendors": "^1.4.2",
    "@sendgrid/mail": "^7.4.2",
    "apollo-server": "^3.5.0",
    "apollo-server-core": "^3.3.0",
    "apollo-server-express": "^3.3.0",
    "bluebird": "^3.7.2",
    "bunyan": "^1.8.15",
    "cheerio": "^1.0.0-rc.10",
    "dayjs": "^1.11.0",
    "dotenv": "^8.2.0",
    "express": "^4.17.1",
    "graphql": "^15.5.3",
    "graphql-scalars": "^1.10.1",
    "graphql-type-json": "^0.3.2",
    "graphql-upload": "^15.0.1",
    "jsdom": "^16.4.0",
    "json-rules-engine": "^6.0.1",
    "json2csv": "^5.0.7",
    "jsonwebtoken": "^8.5.1",
    "keycloak-admin": "^1.14.4",
    "lodash": "^4.17.15",
    "mime-types": "^2.1.27",
    "nodemailer": "^6.7.1",
    "openid-client": "^4.2.2",
    "request": "2.88.2",
    "string-hash": "^1.1.3",
    "uuid": "^8.3.1"
  },
  "devDependencies": {
    "@babel/cli": "^7.15.7",
    "@babel/core": "^7.11.6",
    "@babel/node": "^7.10.5",
    "@babel/preset-env": "^7.11.5",
    "@digital-u/digital-university-wait": "^0.2.1",
    "@types/graphql-upload": "^8.0.11",
    "jest": "^27.5.1",
    "nodemon": "^2.0.18",
    "supertest": "^4.0.2",
    "xo": "^0.45.0"
  }

[gaborszita]

Had to revert, it borked people's install.

Okay, so we now have v2.0.17 that uses the new update-notifier, but v2.0.18 reverted this change, because v2.0.17 broke people's install. But that means v2.0.18 still has the vulnerability. So... how is this going to be fixed?

[gaborszita]

Here are my deps and dev deps. I deleted my lock file and reinstalled, but got the same result.

"dependencies": {
    "@aws-sdk/client-dynamodb": "^3.21.0",
    "@aws-sdk/client-s3": "^3.23.0",
    "@aws-sdk/lib-storage": "^3.32.0",
    "@aws-sdk/s3-request-presigner": "^3.81.0",
    "@aws-sdk/util-dynamodb": "^3.21.0",
    "@digital-u/digital-university-models": "0.2.29",
    "@digital-u/digital-university-vendors": "^1.4.2",
    "@sendgrid/mail": "^7.4.2",
    "apollo-server": "^3.5.0",
    "apollo-server-core": "^3.3.0",
    "apollo-server-express": "^3.3.0",
    "bluebird": "^3.7.2",
    "bunyan": "^1.8.15",
    "cheerio": "^1.0.0-rc.10",
    "dayjs": "^1.11.0",
    "dotenv": "^8.2.0",
    "express": "^4.17.1",
    "graphql": "^15.5.3",
    "graphql-scalars": "^1.10.1",
    "graphql-type-json": "^0.3.2",
    "graphql-upload": "^15.0.1",
    "jsdom": "^16.4.0",
    "json-rules-engine": "^6.0.1",
    "json2csv": "^5.0.7",
    "jsonwebtoken": "^8.5.1",
    "keycloak-admin": "^1.14.4",
    "lodash": "^4.17.15",
    "mime-types": "^2.1.27",
    "nodemailer": "^6.7.1",
    "openid-client": "^4.2.2",
    "request": "2.88.2",
    "string-hash": "^1.1.3",
    "uuid": "^8.3.1"
  },
  "devDependencies": {
    "@babel/cli": "^7.15.7",
    "@babel/core": "^7.11.6",
    "@babel/node": "^7.10.5",
    "@babel/preset-env": "^7.11.5",
    "@digital-u/digital-university-wait": "^0.2.1",
    "@types/graphql-upload": "^8.0.11",
    "jest": "^27.5.1",
    "nodemon": "^2.0.18",
    "supertest": "^4.0.2",
    "xo": "^0.45.0"
  }

You need to use v2.0.17, read my last comment. It seems there are some issues with bumping update-notifier to the new version, so let's just wait for a fix.

[gaborszita]

By reading issue #2031 we can see that due to issues with update-notifier the project owner plans to drop this dependency entirely in the next release. So, hopefully, this will get fixed in the next release. Until then, I recommend using v2.0.17 if it doesn't break your install, and otherwise use v2.0.18 or v2.0.16.

[github-actions]

🎉 This issue has been resolved in version 2.0.19 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀