search

fex-team / fis3

FIS3
http://fis.baidu.com
BSD 2-Clause "Simplified" License
2.79k stars 693 forks source link

Update packages to avoid introducing vulnerablities #1328

Open paimon0715 opened 3 years ago

paimon0715 commented 3 years ago

Hi @Xiangshouding @2betop,I’d like to report several vulnerabilities

Issue

15 vulnerabilities (9 high, 4 medium and 2 low severity) are introduced in fis3.There are some examples: 1.Vulnerability npmjs-advisories-1464 (high severity) is detected in package lodash(versions:<4.17.21):https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054 2.Vulnerability CVE-2020-8203 (medium severity) is detected in package lodash(versions:<4.17.16):https://snyk.io/vuln/SNYK-JS-LODASH-567746 3.Vulnerability CVE-2016-10540 (high severity) is detected in package minimatch(versions:<3.0.2):https://snyk.io/vuln/npm:minimatch:20160620 4.Vulnerability npmjs-advisories-1179 (low severity) is detected in package minimist(versions:>=0.0.0 <0.2.1,>=1.0.0 <1.2.3):https://www.npmjs.com/advisories/1179

The above vulnerable packages are referenced by fis3 via: In fis3@3.4. :fis3@3.4.45 ➔ lodash@4.17.5 fis3@3.4.45 ➔ glob@5.0.3 ➔ minimatch@2.0.10 fis3@3.4.45 ➔ minimist@1.1.1 In fis3@3.2. :fis3@3.2.13 ➔ glob@5.0.3 ➔ minimatch@2.0.10 fis3@3.2.13 ➔ minimist@1.1.1 In fis@3.3. :`In a similar way to 3.2. `

Solution

Since *_fis3@3.4._ is transitively referenced by 123** downstream projects (e.g., stormrage 2.8.0 (latest version),fis3-client 1.6.352 (latest version), fep-cli 1.0.0 (latest version), atmjs 0.7.7 (latest version), pcat 2.9.2(latest version)),

*_fis3@3.2._ is referenced by 2** downstream projects (fis273 1.2.3 (latest version), xiangha-fe 1.0.5 (latest version)),

*_fis3@3.3._ is referenced by 2** downstream projects (fis-web-config 0.0.3 (latest version), feat-l 0.0.3 (latest version)),

If fis3 removes the vulnerabilities from the above versions, then its fixed versions can help downstream users decrease their pain.

Could you help update packages in these versions?

Fixing suggestions

(1)In *_fis3@3.4._**, you can kindly try to perform the following upgrades (not crossing their major versions):

  1. lodash 4.17.5 ➔ 4.17.21;
    Note: lodash@4.17.21,(>=4.17.21) has fixed the vulnerabilities(e.g.,CVE-2021-23337,CVE-2020-8203,CVE-2018-16487)

  2. glob 5.0.3 ➔ 5.0.15;
    Note: glob@5.0.15 directly depends on minimatch@3.0.4(a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version)

  3. minimist 1.1.1 ➔ 1.2.3;
    Note: minimist@1.2.3 has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179

(2)In *_fis3@3.2._**, you can kindly try to perform the following upgrades (not crossing their major versions):

  1. glob 5.0.3 ➔ 5.0.15;
    Note: glob@5.0.15 directly depends on minimatch@3.0.4(a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version)

  2. minimist 1.1.1 ➔ 1.2.3;
    Note: minimist@1.2.3 has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179

(3)In *_fis3@3.3._**, you can kindly try to perform the following upgrades (not crossing their major versions):

  1. glob 5.0.3 ➔ 5.0.15;
    Note: glob@5.0.15 directly depends on minimatch@3.0.4(a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version)

  2. minimist 1.1.1 ➔ 1.2.3;
    Note: minimist@1.2.3 has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179

Thanks for your contributions to the npm ecosystem!

Best regards, Paimon

oxUnd commented 3 years ago

Thanks

paimon0715 commented 3 years ago

@xiangshouding Thanks for your understanding and help.