search

eslint / eslint

Find and fix problems in your JavaScript code.
https://eslint.org
MIT License
25.1k stars 4.54k forks source link

Is it possible to remove the high severity vulnerability introduced by package ajv@5.5.2 ? #14863

Closed vincentsum777 closed 3 years ago

vincentsum777 commented 3 years ago

Hi, @nzakas @mdjermanovic, I stumbled upon a vulnerability introduced by package ajv@5.5.2:

Issue Description

When I build my project, I note that eslint@4.19.1 directly depends on ajv@5.5.2. However, the vulnerability(high severity) CVE-2020-15366 is detected in package ajv<6.12.3.
As far as I aware, eslint@4.19.1 is so popular that a large number of projects depend on it (860,520 downloads per week and about 1,943 downstream projects, e.g., ws-voice-infinity-global-module 0.9.60, jstestadapter 1.4.2, eslint-plugin-angularjs-security-rules 1.0.8, cgb-scripts 1.23.1, eslint-config-themis 0.1.2, etc.). In this case, the vulnerability CVE-2020-15366 can be propagated into these downstream projects and expose security threats to them. As you can see, eslint@4.19.1 is introduced into the above projects via the following package dependency paths: (1)@xcritical/eslint-plugin-xcritical@4.0.1 ➔ eslint-plugin-class-methods-use-this-regexp@0.1.0 ➔ eslint@4.19.1 ➔ ajv@5.5.2 (2)@icare-jp/vue-type-check@1.1.8 ➔ vue-language-server@0.0.67 ➔ prettier-eslint@8.8.2 ➔ eslint@4.19.1 ➔ ajv@5.5.2 ......

I know that it’s kind of you to have removed the vulnerability since eslint@5.0.0-rc.0. But, in fact, the above large amount of downstream projects cannot easily upgrade eslint from version 4.19.1 to (>=5.0.0-rc.0): The projects such as eslint-plugin-class-methods-use-this-regexp and vue-language-server, which introduced eslint@4.19.1, are not maintained anymore. These unmaintained packages can neither upgrade eslint nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package eslint@4.19.1?

Suggested Solution

Since these inactive projects set a version constaint 4.19.* for eslint on the above vulnerable dependency paths, if eslint removes the vulnerability from 4.19.1 and releases a new patched version eslint@4.19.2, such a vulnerability patch can be automatically propagated into the downstream projects.

The simplest way to remove the vulnerability is to perform the following upgrade in eslint@4.19.2: ajv ^5.3.0 ➔ ^6.12.3;
Note: ajv@6.12.3(>=6.12.3) has fixed the vulnerability (CVE-2020-15366) Of course, you are welcome to share other ways to resolve the issue with me. ^_^

Thank you for your attention to this issue.

nzakas commented 3 years ago

I'm sorry, we don't have the ability to update old ESLint versions like this. We'd need to do it manually, and that could have other unintended side effects. We are in the process of releasing v8.0.0, so I think a better solution is to contact the owners of the projects you're concerned about and ask them to upgrade ESLint.

FWIW, security issues like this don't usually affect ESLint because it's not being run in such a way that an attacker can inject information. Most security bulletins for Node.js packages are only dangerous when deployed in a production web application or service, and not when used in ESLint.