Closed evansrobert closed 2 years ago
Hi @evansrobert. I'm sure we can do something here. Are you interested in opening a PR that does the work to upgrade the dependency?
@jherdman Thanks.
Hi @jherdman, is there an expected timeline for merging in the dependency update to resolve this issue? Thanks!
Hi @grantyang . I've poked a bit at trying to resolve this, but I've ran into some difficulties coming to the solution and finding the time to implement it. The timeline is more or less "some day, hopefully soon."
A pull request would be greatly appreciated if anyone has the time and interest.
I confess that I'm not really thrilled at the idea of adopting a modern version of cheerio when it's been in beta for months on end and seems to have been stalled out. I'd love to see an alternative adopted that is much more stable, though I haven't identified one at this time.
Resolved by #228
Hi, @jherdman @ivanvotti, I'd like to report a vulnerability introduced by package css-what:
Issue Description
I noticed that a vulnerability is introduced in ember-svg-jar@2.3.3: Vulnerability CVE-2021-33587 affects package css-what (versions:<5.0.1): https://snyk.io/vuln/SNYK-JS-CSSWHAT-1298035 The above vulnerable package is referenced by ember-svg-jar@2.3.3 via:
ember-svg-jar@2.3.3 ➔ cheerio@0.22.0 ➔ css-select@1.2.0 ➔ css-what@2.1.3
Since ember-svg-jar@2.3.3 (26,294 downloads per week) is referenced by 25 downstream projects (e.g., ember-cli-addon-docs 3.0.0 (latest version), @freshworks/button 0.18.0 (latest version), @freshworks/icon 0.20.0 (latest version), @freshworks/toast-message 0.18.0 (latest version), @hashicorp/pds-ember 0.6.2 (latest version)), the vulnerability CVE-2021-33587 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths: (1)
@cardstack/boxel@0.19.42 ➔ ember-svg-jar@2.3.3 ➔ cheerio@0.22.0 ➔ css-select@1.2.0 ➔ css-what@2.1.3
(2)@ember-eui/changeset-form@0.7.15 ➔ @ember-eui/core@0.7.15 ➔ ember-svg-jar@2.3.3 ➔ cheerio@0.22.0 ➔ css-select@1.2.0 ➔ css-what@2.1.3
......If ember-svg-jar@2.3.* removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.
Given the large number of downstream users, could you help update your package to remove the vulnerability from ember-svg-jar@2.3.3 ?
Fixing suggestions
In ember-svg-jar@2.3.4, maybe you can kindly try to perform the following upgrade :
cheerio ^0.22.0 ➔ ^1.0.0-rc.4
;Note: cheerio@1.0.0-rc.4(>=1.0.0-rc.4) doesn’t depends on css-what any more.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards, ^_^