search

micromatch / nanomatch

Fast, minimal glob matcher for node.js. Similar to micromatch, minimatch and multimatch, but without support for extended globs (extglobs), posix brackets or braces, and with complete Bash 4.3 wildcard support: ("*", "**", and "?").
https://github.com/micromatch
MIT License
96 stars 20 forks source link

Dependency vulnerability #29

Closed alvaroinckot closed 3 years ago

alvaroinckot commented 3 years ago

(Thanks for reporting an issue to nanomatch! If you haven't already read the contributor guidelines, Please do that now, then procede to fill out the details below.)

Please describe the minimum necessary steps to reproduce this issue:

Version 1.2.13 has dependencies with reported vulnerability.

What is happening (but shouldn't):

On npm audit:

npm audit --production --json
{
  "actions": [
    {
      "action": "review",
      "module": "set-value",
      "resolves": [
        {
          "id": 1002475,
          "path": "nanomatch>snapdragon>base>cache-base>set-value",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1002475,
          "path": "nanomatch>snapdragon>base>cache-base>union-value>set-value",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ]
    }
  ],
  "advisories": {
    "1002475": {
      "findings": [
        {
          "version": "2.0.1",
          "paths": [
            "nanomatch>snapdragon>base>cache-base>set-value",
            "nanomatch>snapdragon>base>cache-base>union-value>set-value"
          ]
        }
      ],
      "metadata": null,
      "vulnerable_versions": "<4.0.1",
      "module_name": "set-value",
      "severity": "high",
      "github_advisory_id": "GHSA-4jqc-8m5r-9rpr",
      "cves": [
        "CVE-2021-23440"
      ],
      "access": "public",
      "patched_versions": ">=4.0.1",
      "updated": "2021-09-13T19:33:19.000Z",
      "recommendation": "Upgrade to version 4.0.1 or later",
      "cwe": "CWE-843",
      "found_by": null,
      "deleted": null,
      "id": 1002475,
      "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23440\n- https://github.com/advisories/GHSA-4jqc-8m5r-9rpr",
      "created": "2021-10-07T07:31:50.512Z",
      "reported_by": null,
      "title": "Prototype Pollution in set-value",
      "npm_advisory_id": null,
      "overview": "This affects the package set-value before 4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.",
      "url": "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 2,
      "critical": 0
    },
    "dependencies": 347,
    "devDependencies": 0,
    "optionalDependencies": 0,
    "totalDependencies": 347
  },
  "runId": "74a03b72-f17a-472d-bb81-2582304fcc0a"
}

What should be happening instead?

It must not have any high severity issue.

jonschlinkert commented 3 years ago

Closing since this output is provided to every single user of node.js with every install.