Closed PAnilReddy closed 2 years ago
Any updates on this. Its a vulnerability and needs immediate attention
Hi, you seem to have an outdated version. A day before the creation of this issue we pushed a release that updates @carbon/telemetry
to 0.0.1
which AFAIK should address this.
If that's not the case, pls feel free to open with new comments 🙂
@theiliad , I see the latest release was made 8 days ago and its v0.55.1.
And I did install the latest and still see the vulnerability package(glob-parent@5.1.2) as part of it. Basically I dont see the @carbon/telemetry to 0.0.1
Can you let me know in which version its fixed?
This seems like an issue inside carbon-components
@theiliad , can you confirm if this will be fixed as part of the issue.. or should I have to raise one against carbon-components
@theiliad , can you confirm if this will be fixed as part of the issue.. or should I have to raise one against carbon-components
This is the carbon-charts repo.
As far as @jdharvey-ibm has told us there's a PR (https://github.com/carbon-design-system/carbon/pull/10982/files#diff-2c76dc06185f93bec73660e15338433b95eac6707317564c0f778f5b9abe446c) that's updated these deps, and there will be a release soon.
@jdharvey-ibm could you pls let us know when this comes out so that we can update?
I'm not actively tracking the releases from the carbon monorepo, but @joshblack or @tay1orjones could potentially keep you in the loop. Also, @PAnilReddy if you have Dependabot or Renovate hooked up in your repo, it should automatically open PRs for you the next time it updates your project dependencies.
Hey just want to close the loop here - the version of @carbon/telemetry was updated in v10.56.0.
https://github.com/carbon-design-system/carbon/blob/v10.56.0/packages/components/package.json#L66
Contact Details
apatloll@in.ibm.com
What happened?
per the PSIRT, we need to move to glob-parent (6.0.1 or later), We are on the cloudpal version: @console/pal@1.454.1
Summary: Node.js glob-parent module denial of service CVE-2021-35065
Details: globparent-cve202135065-dos (208298) - reported on 2021-06-24 (Format: yyyy-mm-dd)
Node.js glob-parent module is vulnerable to a denial of service, caused by an error in the enclosure regex. By sending a specially crafted string prepended with the letter A , a remote attacker could exploit this vulnerability to cause a regular expression denial of service.
Consequences: Denial of Service
Remedy: Upgrade to the latest version of glob-parent module (6.0.1 or later), available from the NPM Web site. See References.
X-Force Record: https://exchange.xforce.ibmcloud.com/vulnerabilities/208298
Attention: If the CVE is excluded from OWASP scanning, make sure to include it back, while remediating corresponding PSIRT. Acknowledge with appropriate comment before closing the PSIRT.
As per this https://www.cybersecurity-help.cz/vdb/SB2021072101 5.1.2 is impacted. So we need a fix for this.
https://www.cybersecurity-help.cz/vdb/SB2021072101
Version
@carbon/charts@0.54.12
Data & options used
No response
Relevant log output
Codesandbox example
No response