search

electron / get

Download Electron release artifacts
https://npm.im/@electron/get
MIT License
338 stars 106 forks source link

Security vulnerability in a dependency #242

Closed julianna-ciq closed 1 year ago

julianna-ciq commented 1 year ago

I use @electron/get as a dependency, and I started failing audits for this issue: https://github.com/advisories/GHSA-8x6c-cv3v-vp6g

@electron/get v2.02 uses got v11.8.5, which uses cacheable-request v7.0.2. Any version of cacheable-request below 10.2.7 is vulnerable to the above advisory. The latest version of got, v12.5.3, references a safe version of cacheable-request, so updating the got dependency should also address this advisory.

I tried using yarn resolutions to force cacheable-request to v10.2.7, and I got the following error messages:

Error [ERR_REQUIRE_ESM]: require() of ES Module /.../node_modules/got/dist/source/index.js from .../node_modules/@electron/get/dist/cjs/GotDownloader.js not supported.
Instead change the require of index.js in .../node_modules/@electron/get/dist/cjs/GotDownloader.js to a dynamic import() which is available in all CommonJS modules.
    at Object.<anonymous> (...r/node_modules/@electron/get/dist/cjs/GotDownloader.js:15:15)
    at .../node_modules/@electron/get/dist/cjs/downloader-resolver.js:8:66
    at async Object.getDownloaderForSystem (.../node_modules/@electron/get/dist/cjs/downloader-resolver.js:8:[31](https://github.com/Finsemble/finsemble-mono/actions/runs/4165032919/jobs/7207472417#step:8:32))
    at async .../node_modules/@electron/get/dist/cjs/index.js:67:59
    at async useAndRemoveDirectory (.../node_modules/@electron/get/dist/cjs/utils.js:10:18)

Request Can this package update to a non-vulnerable version of got or cacheable-request?

erickzhao commented 1 year ago

cacheable-request depends on http-cache-semantics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package.

The underlying issue is stemming from cacheable-request<4.1.1, but it cacheable-request@7.0.2 seems to only specify http-cache-semantics^4.0.0. You could probably upgrade http-cache-semantics in your lockfile without upgrading cacheable-request to receive the DoS fix, assuming that package follows semver closely.

MarshallOfSound commented 1 year ago

This is an incorrect GHSA report, I've filed a PR to fix this in the advisory database https://github.com/github/advisory-database/pull/1703