search

IBM / ibm-cos-sdk-js

ibm-cos-sdk-js
Apache License 2.0
38 stars 20 forks source link

[Security] Need to bump up xml2js to be 0.5.0 to fix the security issue CVE-2023-0842 #101

Closed lukewang2018 closed 1 year ago

lukewang2018 commented 1 year ago

[Security] Need to bump up xml2js to be 0.5.0 to fix the security issue CVE-2023-0842

We are using ibm-cos-sdk-js which depends on a vulnerable version of xml2js which is vulnerable to prototype pollution. Refer to https://github.com/advisories/GHSA-776f-qx25-q3cc

Could you help make a release with latest xml2js? Thanks a lot!

"xml2js": "^0.5.0",

btw, please also fix other audit issues via npm audit fix --force. Thanks!

 ibm-cos-sdk-js % npm audit
# npm audit report

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install mocha@10.2.0, which is a breaking change
node_modules/mocha/node_modules/minimatch
  mocha  1.21.5 - 9.2.1
  Depends on vulnerable versions of minimatch
  Depends on vulnerable versions of mkdirp
  node_modules/mocha

minimist  <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install mocha@10.2.0, which is a breaking change
node_modules/mocha/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mocha/node_modules/mkdirp

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
No fix available
node_modules/request
  coveralls  *
  Depends on vulnerable versions of request
  node_modules/coveralls

xml2js  <=0.4.23
Severity: high
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install xml2js@0.5.0, which is a breaking change
node_modules/xml2js

7 vulnerabilities (2 moderate, 2 high, 3 critical)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
IBMalok commented 1 year ago

@lukewang2018 We have an internal ticket open and are working on it. we will do a release soon.

lukewang2018 commented 1 year ago

Thanks @IBMalok for your quick response! Waiting for new release.

avinash1IBM commented 1 year ago

@lukewang2018 A new version of ibm-cos-sdk-js(1.13.1) is released with the vulnerability fix. Can you close this issue

lukewang2018 commented 1 year ago

Thanks a lot! Yes, v1.13.1 will fix the issue.