search

mapbox / node-pre-gyp

Node.js tool for easy binary deployment of C++ addons
BSD 3-Clause "New" or "Revised" License
1.11k stars 260 forks source link

Vulnerability warning due to make-dir version #685

Closed AkiraMiyakoda closed 1 year ago

AkiraMiyakoda commented 1 year ago

Hi developers,

Currently, this package receives a vulnerability warning concerning CVE-2022-25883 reported a few days ago. This package depends on make-dir which has been updated in order to fix that warning. So I think that node-pre-gyp should be updated to depend on the new version of make-dir.

Here is what I received:

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install argon2@0.27.1, which is a breaking change
node_modules/make-dir/node_modules/semver
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/make-dir
    @mapbox/node-pre-gyp  >=1.0.1
    Depends on vulnerable versions of make-dir
    node_modules/@mapbox/node-pre-gyp
      argon2  >=0.27.2
      Depends on vulnerable versions of @mapbox/node-pre-gyp
      node_modules/argon2

4 moderate severity vulnerabilities
striezel commented 1 year ago

It looks like the package is a bit slow to update its dependencies, so maybe semi-automated dependency updates via Dependabot or a similar mechanism can help here. That's why I opened a PR that adds a Dependabot configuration (https://github.com/mapbox/node-pre-gyp/pull/688).

ranisalt commented 1 year ago

@striezel very slow. Last version was in September, seems completely abandoned ever since (issues/PRs get no response). I'm looking to remove it from node-argon2

striezel commented 1 year ago

seems completely abandoned ever since (issues/PRs get no response).

That is sad. :( If the repository is abandoned, then moving away from it seems to be the right action. However, I'm hoping that somebody @mapbox will pick this up and get the issues fixed and PRs merged and publish a new version to NPM, because not everyone might be able to completely remove @mapbox/node-pre-gyp from package dependencies.

prashant93 commented 1 year ago

Team any update on semver vulnerablility fix : CVE-2022-25883

axrj commented 1 year ago

Hey all, apologies for the delays. Will get this patched soon.

sagar-sonawane-ma commented 1 year ago

@axrj can you please share the issue ID link for the fix, where we can trace the same for the feature release.

axrj commented 1 year ago