Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update update-notifier to remove some vulnerabilities #221

Closed
wants to merge 1 commit into from
Closed

Update update-notifier to remove some vulnerabilities #221

wants to merge 1 commit into from

Conversation

pedrombl
Copy link

@pedrombl pedrombl commented Nov 23, 2023
edited
Loading

Hi @cossssmin, maizzle/framework has some vulnerabilities getting raise. One of them comes from this package.
I ran npm audit report and it brought me report bellow. Then I execute npm audit fix --force which updates the package update-notifier. Looks like the main breaking change is on the NodeJS support.

➜  cli git:(master) npm audit report
# npm audit report

ansi-regex  3.0.0 || 4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/inquirer-autosubmit-prompt/node_modules/ansi-regex
node_modules/inquirer-autosubmit-prompt/node_modules/string-width/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/xo/node_modules/semver

6 vulnerabilities (5 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix
  1 Update update-notifier to remove high vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

@cossssmin
Copy link
Member

Hi, thanks for this. The problem with that however is that update-notifier is ESM-only since v6, so we can't upgrade for now.

Until Maizzle 5 (complete framework rewrite, wip) I think a better option would be to just get rid of it temporarily, what do you think? It's a nice thing to have, but not at this expense I think...

@pedrombl
Copy link
Author

@cossssmin oh, right. I don't have the context on the usage of update-notifier. Looks like it is only used here, right?

@cossssmin
Copy link
Member

Yeah it's just so that when you use the CLI commands it notifies you if there's a newer framework version.

@pedrombl
Copy link
Author

@cossssmin got it so I will close this for now. If I have some time I can open another PR to remove the update-notifier.

@pedrombl pedrombl closed this Nov 30, 2023
@pedrombl pedrombl deleted the remove-high-vulnerability branch November 30, 2023 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pedrombl @cossssmin