CumulusDS / dlq

CLI tool to manipulate AWS Dead Letter Queues
MIT License
1 stars 2 forks source link

resolve redos in normalize-url - GHSA-px4h-xg32-q955 #39

Closed jeffsays closed 3 years ago

jeffsays commented 3 years ago

Summary

What does this PR do?

resolve redos in normalize-url - GHSA-px4h-xg32-q955

bad

yarn why v1.22.5
[1/4] πŸ€”  Why do we have the module "normalize-url"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] πŸ”  Finding dependency...
[4/4] 🚑  Calculating file sizes...
=> Found "normalize-url@4.5.0"
info Reasons this module exists
   - "flow-typed#got#cacheable-request" depends on it
   - Hoisted from "flow-typed#got#cacheable-request#normalize-url"
info Disk size without dependencies: "32KB"
info Disk size with unique dependencies: "32KB"
info Disk size with transitive dependencies: "32KB"
info Number of shared dependencies: 0
✨  Done in 0.49s.

good

yarn why v1.22.5
[1/4] πŸ€”  Why do we have the module "normalize-url"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] πŸ”  Finding dependency...
[4/4] 🚑  Calculating file sizes...
=> Found "normalize-url@4.5.1"
info Reasons this module exists
   - "flow-typed#got#cacheable-request" depends on it
   - Hoisted from "flow-typed#got#cacheable-request#normalize-url"
info Disk size without dependencies: "32KB"
info Disk size with unique dependencies: "32KB"
info Disk size with transitive dependencies: "32KB"
info Number of shared dependencies: 0
✨  Done in 0.92s.

resolves other vulnerabilites that arent showing (yet?)

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix`
node_modules/chokidar/node_modules/glob-parent
node_modules/flow-copy-source/node_modules/glob-parent
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar

normalize-url  <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix`
node_modules/normalize-url

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix`
node_modules/flow-copy-source/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of yargs-parser
  node_modules/flow-copy-source/node_modules/yargs
jeffsays commented 3 years ago

duplicate https://github.com/CumulusDS/dlq/pull/38