search

hanford / next-offline

make your Next.js application work offline using service workers via Google's workbox
https://github.com/hanford/next-offline
1.59k stars 113 forks source link

CVE-2020-28469 high vulnerability #275

Open scoobster17 opened 3 years ago

scoobster17 commented 3 years ago

Hello, this package is flagging up a high severity vulnerability due to copy-webpack-plugin@5.1.2 being a dependency, which is itself using glob-parent@3.0.1.

+----------------+----------+------+-------------+-----------+------------------------------+------------+------------+------------+----------------------------------------------------+-------------------+
|      CVE       | SEVERITY | CVSS |   PACKAGE   |  VERSION  |            STATUS            | PUBLISHED  | DISCOVERED | GRACE DAYS |                    DESCRIPTION                     | TRIGGERED FAILURE |
+----------------+----------+------+-------------+-----------+------------------------------+------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2020-28469 | high     | 0.00 | glob-parent | 3.1.0     | fixed in 5.1.2               | 85 days    | < 1 hour   | -84        | no description is available for this cve.          | Yes               |
+----------------+----------+------+-------------+-----------+------------------------------+------------+------------+------------+----------------------------------------------------+-------------------+

Upgrading to copy-webpack-plugin@6.4.1, or higher seems like it will fix the issue, or at least allow npm update glob-parent to be applied to repositories that use this package, as those versions of copy-webpack-plugin technically use ^5.1.1, whereas the fix is in v5.1.2.

hanford commented 3 years ago

I'd accept a PR fixing this @scoobster17!

hanford commented 3 years ago

I had to revert this, it broke several personal projects of mine that use next-offline:

image

scoobster17 commented 3 years ago

Ahh, I didn't see any globs in the file I edited, but there was a breaking change for handling globs in copy-webpack-plugin@6 too as per the release notes. Try this? Not sure if you'll have to make further changes to next-offline or your specific project(s).

https://github.com/webpack-contrib/copy-webpack-plugin/releases/tag/v6.0.0

scoobster17 commented 3 years ago

Any luck with the globs/progressing this issue?

hanford commented 3 years ago

@scoobster17 I haven't looked at it, I've been on vacation the last couple of weeks.

If you want to take a stab at it, I could review a PR and could release a prerelease version of next-offline so we can both verify it's working before releasing in a stable version

scoobster17 commented 3 years ago

@hanford hope you had a nice break.

From your error message, the problem seems it might be with this line. Perhaps this path has changed? At this point I feel you are best suited to investigate this issue, I'm a bit clueless as to how to fix this.

jfaylon commented 2 years ago

Any update regarding this issue?

opolo commented 2 years ago

Hi, an audit at our worksite has flagged this same CVE, CVE-2020-28469. We are very grateful for what next-offline has provided to us and still provides, but we need to provide a response to the business regarding the potential of a fixed (we do not not need to provide an ETA for now, I think they just want to know we are acting on it, when we can).

Question: Is this project still maintained? ​Sorry to ask very directly. We tried a few PWA frameworks for nextjs back in the day, and this was our favorite by far as it was easy getting started with. :)