Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High security issue reported by npm for dependency parse-path <5.0.0 #423

Closed
xr-james opened this issue Jul 10, 2022 · 2 comments · Fixed by #426
Closed

High security issue reported by npm for dependency parse-path <5.0.0 #423

xr-james opened this issue Jul 10, 2022 · 2 comments · Fixed by #426
Labels
bug released

Comments

@xr-james
Copy link

NPM is currently alerting users to a severe error in the CLI when installing or working with this package, @semantic-release/gitlab, specifically referencing an exploit available in the parse-path dependency when using versions < 5.0.0 when examining details from npm audit.

# npm audit report

parse-path  <5.0.0
Severity: high
Authorization Bypass in parse-path - https://github.com/advisories/GHSA-3j8f-xvm3-ffx4
fix available via `npm audit fix --force`
Will install @semantic-release/gitlab@1.0.0, which is a breaking change
node_modules/@semantic-release/gitlab/node_modules/parse-path
  @semantic-release/gitlab  >=1.0.1
  Depends on vulnerable versions of parse-path
  node_modules/@semantic-release/gitlab

2 high severity vulnerabilities

The suggested fix is to install version 1.0.0 of this package which is quite a difference from the latest versions available.

Platform: Windows 10 Pro (19044.1766 - 21H2)
Node: 14.19.1
NPM: 8.6.0

Since I did not see this reported anywhere, I have submitted an issue for tracking and possibly a related patch.
@xr-james xr-james changed the title Severe security issue reported by npm for dependency parse-path <5.0.0 High security issue reported by npm for dependency parse-path <5.0.0 Jul 10, 2022
@fgreinacher
Copy link
Contributor

Thanks @xr-james, there are already some automated PRs to upgrade this dependency (#415, #419 and #420) but the upgrade seems to break the plugin. I'll have a look!

@fgreinacher fgreinacher mentioned this issue Jul 11, 2022
Merged
fgreinacher added a commit that referenced this issue Jul 11, 2022
@fgreinacher
fix: replace path-parse by parse-url (#426)
1b3987e 
This fixes a vulnerabilty in parse-path (CVE-2022-0624)

Closes #423
@github-actions
Copy link

🎉 This issue has been resolved in version 9.4.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: replace path-parse by parse-url semantic-release/gitlab
2 participants
@fgreinacher @xr-james