search

libp2p / js-peer-id

peer-id implementation in JavaScript. Deprecated; use https://github.com/libp2p/js-libp2p-peer-id instead.
https://github.com/libp2p/js-libp2p-peer-id
MIT License
80 stars 44 forks source link

Could you help remove the high severity vulnerability introduced by package node-forge? #153

Closed paimon0715 closed 3 years ago

paimon0715 commented 3 years ago

Hi, @vasco-santos @jacobheun, there is a high severity vulnerability introduced in your package peer-id:

Issue Description

A vulnerability CVE-2020-7720 detected in package node-forge<0.10.0 is transitively referenced by peer-id@0.12.5. We noticed that such a vulnerability has been removed since peer-id@0.14.3.

However, peer-id's popular previous version peer-id@0.12.5 (5,680 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 225 downstream projects, e.g., @aragon/cli 7.1.6, snet-sdk-web 2.0.0-beta.0, @gny/cli 1.0.90, @augurproject/tools 2.1.13, @charged-particles/protocol-subgraph 1.2.7, @51nodes/decentralized-schema-registry@0.1.1, etc.). As such, issue CVE-2020-7720 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade peer-id from version 0.12.5 to (>=0.14.3). For instance, peer-id@0.12.5 is introduced into the above projects via the following package dependency paths: (1)@51nodes/decentralized-schema-registry@0.1.1 ➔ @evan.network/api-blockchain-core@2.20.0 ➔ @evan.network/dbcp@1.11.2 ➔ ipfs-api@26.1.2 ➔ peer-id@0.12.5 ➔ libp2p-crypto@0.16.3 ➔ node-forge@0.9.2 ......

The projects such as ipfs-api, which introduced peer-id@0.12.5, are not maintained anymore. These unmaintained packages can neither upgrade peer-id nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package peer-id@0.12.5?

Suggested Solution

Since these inactive projects set a version constaint 0.12.* for peer-id on the above vulnerable dependency paths, if peer-id removes the vulnerability from 0.12.5 and releases a new patched version peer-id@0.12.6, such a vulnerability patch can be automatically propagated into the 225 affected downstream projects.

In peer-id@0.12.6, you can kindly try to perform the following upgrade: libp2p-crypto ~0.16.1 ➔ ~0.19.0;
Note: libp2p-crypto@0.19.0(>=0.19.0) directly depends on node-forge@0.10.0 (a vulnerability CVE-2020-7720 patched version)

Thank you for your help.

Best regards, Paimon

jacobheun commented 3 years ago

Hi @paimon0715, typically we don't maintain versions this far back but the weekly download rate is rather high. I think the right place to fix this is in libp2p-crypto, as users may be installing it via other libp2p libraries. I'll investigate feasibility of an upgrade patch there.

jacobheun commented 3 years ago

This has been patched in libp2p-crypto@0.16.4 so any new installs of peer-id 0.12.x will come with node-forge 0.10.

peer-id@0.12.5
└─┬ libp2p-crypto@0.16.4
  └── node-forge@0.10.0