beemojs / beemo

🤖 Centralized configuration layer for dev tools. Beep boop.
https://beemo.dev
MIT License
143 stars 9 forks source link

release patch for @beemo/core 1.1.x with updated dependency hygen #142

Open evansrobert opened 3 years ago

evansrobert commented 3 years ago

Hi, @milesj,

Issue Description

When I build my project, I notice that a vulnerability SNYK-JS-EJS-1049328 detected in package ejs<3.1.6 is transitively referenced by @beemo/core@1.1.8. However, @beemo/core@1.1.8 is so popular that a large number of latest versions of active and popular downstream projects depend on it (712 downloads per week and about 81 downstream projects, e.g., @oriflame/lumos 3.1.68, @rajzik/lumos 6.0.13, @rajzik/config-eslint 4.2.6, @oriflame/config-eslint 3.3.19, @oriflame/config-webpack 3.2.39, etc.). In this case, the vulnerability SNYK-JS-EJS-1049328 can be propagated into these downstream projects and expose security threats to them. As you can see, @beemo/core@1.1.8 is introduced into the above projects via the following package dependency paths: (1)@aydink/plugin-chart-table-extended@0.38.5 ➔ @airbnb/config-babel@3.1.0 ➔ @airbnb/nimbus-common@3.0.1 ➔ @beemo/core@1.1.8 ➔ hygen@5.0.3 ➔ ejs@2.7.4 ......

I know that it's kind of you to have removed the vulnerability since @beemo/core@2.0.0-rc.0. But, in fact, the above large amount of downstream projects cannot easily upgrade @beemo/core from version 1.1.8 to (>=2.0.0-rc.0): The projects such as @airbnb/nimbus-common, which introduced @beemo/core@1.1.8, are not maintained anymore. These unmaintained packages can neither upgrade @beemo/core nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package @beemo/core@1.1.8?

Suggested Solution

Since these inactive projects set a version constaint 1.1.* for @beemo/core on the above vulnerable dependency paths, if @beemo/core removes the vulnerability from 1.1.8 and releases a new patched version @beemo/core@1.1.9, such a vulnerability patch can be automatically propagated into the downstream projects.

In @beemo/core@1.1.9, maybe you can try to perform the following upgrade: hygen ^5.0.3 ➔ ^6.0.0;
Note: hygen@6.0.0(>=6.0.0) directly depends on ejs@3.1.6 which has fixed the vulnerability SNYK-JS-EJS-1049328.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.

Best regards, ^_^

milesj commented 3 years ago

@evansrobert Can a yarn resolution for ejs be used here?

In a somewhat related note, I built and maintained Nimbus while I was at Airbnb. Since then, I went ahead and built https://github.com/beemojs/dev, which is very similar to Nimbus. If you're ever looking to migrate away from Nimbus, I would suggest that.