search

digitalbazaar / jsonld.js

A JSON-LD Processor and API implementation in JavaScript
https://json-ld.org/
Other
1.66k stars 195 forks source link

A vulnerability introduced in your package #457

Open paimon0715 opened 3 years ago

paimon0715 commented 3 years ago

Hi ,@davidlehn, @tplooker, there is a vulnerability issue in your package:

Issue Description

A vulnerability CVE-2021-21366 detected in package xmldom<0.5.0 is directly referenced by jsonld@1.8.1. We noticed that such a vulnerability has been removed since jsonld@4.0.0.

However, jsonld's popular previous version jsonld@1.8.1 (244,528 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 280 downstream projects, e.g., lighthouse-ci 1.12.0, lighthouse-graphite 1.2.5, @bb-cli/bb-ang 5.0.2, @rdf-esm/formats-common 0.5.5, is-website-vulnerable 1.14.8, @hydrofoil/shaperone-hydra@0.2.2, etc.). As such, issue CVE-2021-21366 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade jsonld from version 1.8.1 to (>=4.0.0). For instance, jsonld@1.8.1 is introduced into the above projects via the following package dependency paths: (1) @hydrofoil/shaperone-hydra@0.2.2 ➔ alcaeus@1.2.0 ➔ @rdf-esm/formats-common@0.5.5 ➔ @rdfjs/parser-jsonld@1.2.1 ➔ jsonld@1.8.1 ➔ xmldom@0.1.19 (2) @rdf-esm/formats-common@0.5.5 ➔ @rdfjs/parser-jsonld@1.2.1 ➔ jsonld@1.8.1 ➔ xmldom@0.1.19 ......

The projects such as @rdfjs/parser-jsonld, which introduced jsonld@1.8.1, are not maintained anymore. These unmaintained packages can neither upgrade jsonld nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package jsonld@1.8.1?

Suggested Solution

Since these unactive projects set a version constaint 1.8.* for jsonld on the above vulnerable dependency paths, if jsonld removes the vulnerability from 1.8.1 and releases a new patched version jsonld@1.8.2, such a vulnerability patch can be automatically propagated into the 280 affected downstream projects.

In jsonld@1.8.2, you can kindly try to perform the following upgrade: xmldom 0.1.19 ➔ 0.5.0;
Note: xmldom@0.5.0(>=0.5.0) has fixed the vulnerability (CVE-2021-21366)

Thank you for your help.

Sincerely yours, Paimon

bergos commented 2 years ago

@paimon0715 would be nice if you would open an issue before declaring packages like @rdfjs/parser-jsonld as "not maintained anymore". Btw I updated the dep in the mentioned package.