Vulnerability detected for Semver

expo / expo-webpack-integrations

Packages used to integrate Expo in Webpack-based projects.

8 stars 1 forks source link

Vulnerability detected for Semver #20

Closed artola closed 7 months ago

artola commented 11 months ago

Summary

Several packages has pinned "semver": "7.3.2", for example:

https://github.com/expo/expo-cli/blob/af2874cf685e6562c74ab597cdb099750c84a3fd/packages/image-utils/package.json#L39

See: semver vulnerable to Regular Expression Denial of Service for more details.

semver: 7.3.2
   ├─ ID: 1093264
   ├─ Issue: semver vulnerable to Regular Expression Denial of Service
   ├─ URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
   ├─ Severity: moderate
   ├─ Vulnerable Versions: >=7.0.0 <7.5.2
   ├─ Patched Versions: >=7.5.2
   └─ Recommendation: Upgrade to version 7.5.2 or later

Environment

@expo/prebuild-config@npm:6.2.6=> @expo/image-utils@npm:0.3.2

Please specify your device/emulator/simulator platform, model and version

Error output

No response

Reproducible demo or steps to reproduce from a blank project

Check vulnerabilities, e.g.: yarn audit.

ns-trade commented 11 months ago

If this helps, we see the same vulnerability when using the latest version of Expo (v49.0.9)

Snyk: Regular Expression Denial of Service (ReDoS)

PG-Fuury commented 11 months ago

I ended up derping out mentally and commented on the most recent commit rather than looking at the issues

PalmDevs commented 11 months ago

Not sure why this can't be fixed immediately, as it is just a minor version bump (not major).

paultheurer commented 11 months ago

This is impacting us as well per GitHub security alerts. Going to attempt a resolution override but would be good if expo team sorted this?

njt1982 commented 10 months ago

In the short term, if it's any help, I have added this to my package.json and then ran npm update@expo/image-utils. I now have no security warnings and am usingsemver@7.5.4`.

  "overrides": {
    "@expo/image-utils": {
      "semver": "7.5.4"
    }
  },

This is 100% a temporary solution until the maintainers release a version of Expo with secure dependencies.

artola commented 10 months ago

└─ semver
   ├─ ID: 1093264
   ├─ Issue: semver vulnerable to Regular Expression Denial of Service
   ├─ URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
   ├─ Severity: moderate
   ├─ Vulnerable Versions: >=7.0.0 <7.5.2
   ├─ Tree Versions
   │  └─ 7.3.2
   └─ Dependents
      └─ @expo/image-utils@npm:0.3.22

janpe commented 10 months ago

opened a PR expo/expo-cli#4777

Mphatheleni commented 9 months ago

Is this issue fixed?

PG-Fuury commented 9 months ago

PR 4777 is still open, without any activity by a dev, so not yet

byCedric commented 7 months ago

This has been merged and released in @expo/webpack-config@19.0.1. See CHANGELOG