search

paulmillr / chokidar

Minimal and efficient cross-platform file watching library
https://paulmillr.com
MIT License
10.95k stars 580 forks source link

[v2: Vulnerability] Chokidar v2 is using glob-patern v3 which has a vulnerability #1291

Closed Bekaxp closed 11 months ago

Bekaxp commented 11 months ago

Describe the bug

By using Storyboard for React Native (there is still no version 7) we are getting a dependency on chokidar v2.1.8 which has a dependency on glob-parent v3.1.0. Any version of glob-parent prior v5.1.2 has a vulnerability:

└─ glob-parent ├─ ID: 1091181 ├─ Issue: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex ├─ URL: https://github.com/advisories/GHSA-ww39-953v-wcq6 ├─ Severity: high ├─ Vulnerable Versions: <5.1.2 │ (\n)? │ (\n)? ├─ Tree Versions │ └─ 3.1.0 └─ Dependents └─ chokidar@npm:2.1.8

Would it be possible to bump up the dependency in chokidar v2.1.8 because it is still being downloaded a lot (8,636,244 - based on npm trends) mainly I guess because of Storybook... I checked the version and bumping it up to v5.1.2 should not be a problem as the function which is called is the same. I can even help out and open a PR for you if that would be acceptable?

Versions (please complete the following information):

To Reproduce:

Steps to reproduce the behavior. Include filename and chokidar config.

Ideally prove a problem by isolating and making it reproducible with a very short sample program, which you could paste here:

yarn add chokidar@2.1.8
yarn npm audit --all --recursive

Expected behavior No more vulnerabilities with v2.

Bekaxp commented 11 months ago

@paulmillr I understand why you closed it. You don't support this version anymore. But like I said there are still A LOT of downloads of this package because of Storybook. Anyone using it will have this vulnerability until they release v7. I can even create a branch with a fix and bumped up version, then this would be fixed and no one has to do any magic with versioning pining or other hacky ways of resolving it, if you want it of course :)

paulmillr commented 11 months ago
  1. This is not a vulnerability. I mean, it is, but ReDDOS is pretty minor. If it was something like "there is a virus which leaks credentials to a hacker" then I'd do something ofc.
  2. Last release of Chokidar 2 was 4 years ago. The fact storybook did not upgrade in this period is not great.
paulmillr commented 11 months ago

I'm just one developer. Storybook is developed by a shitton of people. I would argue it's totally their responsibility to ensure stuff like this doesn't happen.

Bekaxp commented 11 months ago

I totally agree with you. Storybook should've used a newer version of your package to avoid this issue, you even marked that version as deprecated and that should not be used. But as the downloaded number is so high, if you want I can help creating a branch of that version with the fix? If not, I completely understand and we keep this closed :).

paulmillr commented 11 months ago

Using chokidar v2 itself is a security issue because it uses a shitton of deps. Any dep could get hacked and replaced with malware and you won't notice.

This is the real issue. Not "ReDdos" stuff. Tell them to upgrade.