search

GoogleChrome / workbox

📦 Workbox: JavaScript libraries for Progressive Web Apps
https://developers.google.com/web/tools/workbox/
MIT License
12.34k stars 814 forks source link

CVE-2021-43138: Prototype Pollution in async #3061

Closed huineng closed 2 years ago

huineng commented 2 years ago

Hi, i'm getting several audit warnings related to https://github.com/advisories/GHSA-fwr7-v2mv-hh25

affected library: workbox-webpack-plugin also addressed here https://github.com/jakejs/jake/issues/408

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install workbox-webpack-plugin@6.3.0, which is a breaking change
node_modules/jake/node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @surma/rollup-plugin-off-main-thread  >=2.2.0
      Depends on vulnerable versions of ejs
      node_modules/@surma/rollup-plugin-off-main-thread
        workbox-build  >=6.4.0
        Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
        node_modules/workbox-build
          workbox-webpack-plugin  >=6.4.0
          Depends on vulnerable versions of workbox-build
          node_modules/workbox-webpack-plugin

thanks

MCYouks commented 2 years ago

Same here !

akksa commented 2 years ago

same here

userquin commented 2 years ago

published ejs 3.1.7: fixed jake dependency

jeffposnick commented 2 years ago

I can confirm that a fresh install of the various Workbox builds tools shows that the open vulnerability has been resolved, as @surma/rollup-plugin-off-main-thread now pulls in ejs v3.1.7.