amqp-node / amqplib

AMQP 0-9-1 library and client for Node.JS
https://amqp-node.github.io/amqplib/
Other
3.69k stars 474 forks source link

Is it possible to remove the vulnerability introduced by package url-parse@1.4.7? #639

Closed vincentsum777 closed 2 years ago

vincentsum777 commented 3 years ago

Hi, @squaremo @xamgore, I stumbled upon a vulnerability introduced by package url-parse@1.4.7:

Issue Description

When I build my project, I note that amqplib@0.5.6 directly depends on url-parse@1.4.7. However, the vulnerability CVE-2021-27515 is detected in package url-parse(<1.5.0).
As far as I aware, amqplib@0.5.6 is so popular that a large number of projects depend on it (126,383 downloads per week and about 1,672 downstream projects, e.g., nestjs-amqp 0.2.0, quadro 1.3.6, @mocobaas/server-sdk 2.7.3, @caplin/karma-test-runner 8.2.0, @nestjs.pro/common 1.0.123, etc.). In this case, the vulnerability CVE-2021-27515 can be propagated into these downstream projects and expose security threats to them. As you can see, amqplib@0.5.6 is introduced into the above projects via the following package dependency paths: (1)@caplin/karma-test-runner@8.2.0 ➔ karma-log-update-reporter@1.4.0 ➔ karma@2.0.5 ➔ log4js@2.11.0 ➔ amqplib@0.5.6 ➔ url-parse@1.4.7 (2)@nestjs.pro/common@1.0.123 ➔ @nestjs-plus/rabbitmq@1.4.4 ➔ amqplib@0.5.6 ➔ url-parse@1.4.7 ......

I know that it’s kind of you to have removed the vulnerability since amqplib@0.7.1. But, in fact, the above large amount of downstream projects cannot easily upgrade amqplib from version 0.5.6 to (>=0.7.1): The projects such as karma-log-update-reporter, which introduced amqplib@0.5.6, are not maintained anymore. These unmaintained packages can neither upgrade amqplib nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package amqplib@0.5.6?

Suggested Solution

Since these inactive projects set a version constaint 0.5.* for amqplib on the above vulnerable dependency paths, if amqplib removes the vulnerability from 0.5.6 and releases a new patched version amqplib@0.5.7, such a vulnerability patch can be automatically propagated into the downstream projects.

The simplest way to remove the vulnerability is to perform the following upgrade in amqplib@0.5.7: url-parse ~1.4.3 ➔ ~1.5.0;
Note: url-parse@1.5.0(>=1.5.0) has fixed the vulnerability (CVE-2021-27515) Of course, you are welcome to share other ways to deal with the issue.

Thank you for your attention to this issue. ^_^

cressie176 commented 2 years ago

My 2c is we shouldn't do this. It's enough to maintain a library as popular as amqplib without having to consider previous versions still imported by unmaintained 3rd party libraries.

cressie176 commented 2 years ago

Closing, but happy to reconsider if there are good grounds to do so