CVE-2020-7788

[YuriiKrvc]

This issue related to the closed CVE-2020-7788 issue.

The current decision didn't help. I use express-hbs which has a dependency on js-beautify and I still have ini with the 1.3.5 version

│ ├─┬ js-beautify@1.13.13
│ │ ├─┬ config-chain@1.1.12
│ │ │ ├── ini@1.3.5

Are you plan to replace config-chain with rs as recommended documentation of the config-chain?

[bitwiseman]

Config-chain requires ^1.3.4.

    "config-chain": {
      "version": "1.1.12",
      "resolved": "https://registry.npmjs.org/config-chain/-/config-chain-1.1.12.tgz",
      "integrity": "sha512-a1eOIcu8+7lUInge4Rpf/n4Krkf3Dd9lqhljRzII1/Zno/kRtUWnznPO3jOKBmTEktkt3fkxisUcivoj0ebzoA==",
      "requires": {
        "ini": "^1.3.4",
        "proto-list": "~1.2.1"
      }
    },

And package-lock.json specifies ini version 1.3.8.

In express-hbs they've updated to require 1.3.8 as well: https://github.com/TryGhost/express-hbs/commit/dab579b311bc9265f9faf87ff1800710eeb7982c

https://github.com/TryGhost/express-hbs/blob/b9c41630a4744780d3e16b3fba0df9205b60c38f/yarn.lock#L1431-L1434

If you're using a current version of express-hbs it should show the updated version of ini.

If you have time to take on replacing config-chain with rs, PRs are welcome. The related code paths should be relatively well tested. Thanks!

[goatandsheep]

@bitwiseman I made a fork of config-chain. I'm happy to open a PR to replace it with that for now https://www.npmjs.com/package/configuration-chain