search

kgryte / github-create-issue

Create an issue on a GitHub repository.
MIT License
18 stars 3 forks source link

Insecure dependencies #7

Open Chr1s70ph opened 2 years ago

Chr1s70ph commented 2 years ago

Updating the package to the latest version introduces insecurities. These do not appear on version 1.0.1 of the package.

# npm audit report

dot-prop  <4.2.1
Severity: high
Prototype Pollution in dot-prop - https://github.com/advisories/GHSA-ff7x-qrg7-qggm
fix available via `npm audit fix --force`
Will install github-create-issue@1.0.1, which is a breaking change
node_modules/configstore/node_modules/dot-prop
  configstore  2.0.0 - 2.1.0 || 3.1.3
  Depends on vulnerable versions of dot-prop
  node_modules/configstore
    update-notifier  0.6.3 - 1.0.3
    Depends on vulnerable versions of configstore
    node_modules/update-notifier
      github-create-issue  >=2.0.0
      Depends on vulnerable versions of update-notifier
      node_modules/github-create-issue

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
kgryte commented 2 years ago

This warning is not a concern. See how update-notifier is used in the source code. Prototype pollution is not possible given the usage.

The only way to rectify this issue is to remove update-notifier from the package or upgrade. The latter is not possible, as update-notifier introduced breaking env changes and would thus break backward compat for this package.

Removing update-notifier would probably be fine, as users probably don't need to be alerted that a new version of the CLI is avail. Feel free to submit a PR.

rbgorbet commented 2 years ago

@kgryte I cloned the repo and made the relatively minor changes to remove update-notifier dependencies. When I tried to push and create a PR it tells me I don't have permission to push. I'd also like to add functionality to close an issue. Should I work from a fork? And if so (I've never forked anything before), how do I then get my version installed instead of your version, using npm? Thanks!

rbgorbet commented 2 years ago

I've now added issue-commenting and issue-closing functionality.

Chr1s70ph commented 2 years ago

@kgryte I cloned the repo and made the relatively minor changes to remove update-notifier dependencies. When I tried to push and create a PR it tells me I don't have permission to push. I'd also like to add functionality to close an issue. Should I work from a fork? And if so (I've never forked anything before), how do I then get my version installed instead of your version, using npm? Thanks!

You can create a new branch and submit a new PR that way. Pushing to the master branch is only allowed for maintainers of the repository.

rbgorbet commented 2 years ago

@kgryte I cloned the repo and made the relatively minor changes to remove update-notifier dependencies. When I tried to push and create a PR it tells me I don't have permission to push. I'd also like to add functionality to close an issue. Should I work from a fork? And if so (I've never forked anything before), how do I then get my version installed instead of your version, using npm? Thanks!

You can create a new branch and submit a new PR that way. Pushing to the master branch is only allowed for maintainers of the repository.

Creating a new branch isn't an option; so is perhaps disabled in the repo?

image

Chr1s70ph commented 2 years ago

Create a branch locally on your machine by using git checkout -b "your_branch_name" Afterwards, you will be able to create a PR.