Closed sefiros1 closed 1 year ago
@sefiros1 Thanks for opening the issue.
semver@6 is used in this module elastic-apm-http-client
and in elastic-apm-node
(the module for this this repo exists):
elastic-apm-node@3.47.0 /Users/trentm/el/apm-agent-nodejs
├─┬ elastic-apm-http-client@11.4.0
│ └── semver@6.3.0 deduped
└── semver@6.3.0
The vuln is a ReDoS vuln when untrusted input is given to semver.Range
, also indirectly used by semver.satisfies(ver, range)
. The latter is used in many places in this code. However, in none of them is untrusted input given to the "range" argument. I suppose one arguable usage is this:
lib/opentelemetry-metrics/index.js
18:const isOTelMetricsFeatSupported = semver.satisfies(process.version, _supportRange)
However, that _supportsRange
is from "node_modules/@opentelemetry/sdk-metrics/package.json". If that has been compromised in the install of this package, then the security game is up already. In conclusion: I don't think this package is affected by this vulnerability in semver.
Normally, one would just update to a fixed version of semver and move on. However, there isn't one that we can use. Currently per https://github.com/npm/node-semver/pull/564#issuecomment-1604502152 there is only a released fix for semver@7 and no current plans to backport.
We cannot use semver@7 because it's minimum supported Node.js version is v10. This package, elastic-apm-node@3, currently supports back to Node.js v8.6. (Note that we are currently planning a v4 major version bump that will drop support for Node.js v8. For that version we will upgrade our semver dependency.
I realize that this means we will fail npm audit
until elastic-apm-node@4 is released (there is no current release date plan for that). Hopefully that is not too disruptive for users.
Library
semver <7.5.2
has a vulnerability: https://github.com/advisories/GHSA-c2qf-rxjj-qqgwScript
npm audit
fail due error: