1.4.1 has vulnerable dependencies

[TimCorwinCytiva]

1.4.1 expects vulnerable versions of braces and ip via the dependency on chokidar@3.5.3 See: https://www.cve.org/CVERecord?id=CVE-2024-4068 https://www.cve.org/CVERecord?id=CVE-2024-29415

Could we get a patch release please?

[benjie]

Please explain to me how an attacker would exploit these issues to cause a security issue in Graphile Migrate.

[TimCorwinCytiva]

Unlikely that either CVE could be exploited insite graphile-migrate; but depending on the npm/yarn configuration, if the vulnerable versions were picked for graphile-migrate and then re-used for untrusted input...

[benjie]

Feel free to raise a minimal PR updating the lockfile and, if necessary, the package.json. I'm currently travelling for GraphQLConf so will likely not get a chance to release it for a week or two.

[TimCorwinCytiva]

I have created https://github.com/TimCorwinCytiva/migrate/tree/bump-chokidar, based on your v1.4.1 tag, but I'm not sure how I could raise a PR without involving your V2 RCs, since there doesn't seem to be a release branch. Apologies if this is obvious, this is actually my first PR outside of Corpo-land.

[benjie]

Basing the PR off of main would be best; that’s where the release candidates are. They’re not really release candidates any more I guess, I just need to release the final version without changes.

[benjie]

I guess i could create a 1.x branch for patch releases though. That’s fine 👍 Leave it with me.

[benjie]

Turns out we don't have a dependency on chokidar 3.5.3; as you can see on unpkg we use:

    "chokidar": "^3.5.1",

Since this is a carat range you can upgrade to any 3.x version of chokidar and it should be fine. If all versions of chokidar v3 are vulnerable to these security issues that do not impact the security of graphile-worker then you should encourage them to release a v3 version that fixes them, or alternatively just ignore them since they do not impact graphile-worker's security.