Patch vulnerability from dependency requirejs

pcorpet commented 1 month ago

See vulnerability here https://github.com/advisories/GHSA-x3m3-4wpv-5vgc

The requirement comes from a transitive dependency inside dependency-tree. A fix could be to ask them to fix or use another library.

gestj commented 1 month ago

https://github.com/requirejs/requirejs/issues/1854

No plans to address that report, this project is not under active development.

:(

Only current workaround is downgrading to madge 0.6.0 🤯

requirejs  *
Severity: high
jrburke requirejs vulnerable to prototype pollution - https://github.com/advisories/GHSA-x3m3-4wpv-5vgc
fix available via `npm audit fix --force`
Will install madge@0.6.0, which is a breaking change
node_modules/requirejs
  module-lookup-amd  >=4.0.0
  Depends on vulnerable versions of requirejs
  node_modules/module-lookup-amd
    filing-cabinet  >=1.2.2
    Depends on vulnerable versions of module-lookup-amd
    node_modules/filing-cabinet
      dependency-tree  >=5.2.0
      Depends on vulnerable versions of filing-cabinet
      node_modules/dependency-tree
        madge  >=1.0.0
        Depends on vulnerable versions of dependency-tree
        node_modules/madge

callumacrae commented 1 month ago

requirejs/requirejs#1854

No plans to address that report, this project is not under active development.

was fixed in 2.3.7!

i'm using yarn resolutions to work around. in package.json:

  "resolutions": {
    "madge/**/requirejs": "^2.3.7"
  },

pcorpet commented 3 days ago

Indeed, this is solved for me as well, even without the extra resolutions.

pahen / madge

Patch vulnerability from dependency requirejs #429