Upgrade to check-links@^2.0.0?

remarkjs / remark-lint-no-dead-urls

lint rule to warn when URLs are dead

https://unifiedjs.com

MIT License

78 stars 13 forks source link

Upgrade to check-links@^2.0.0? #43

Closed karlhorky closed 1 year ago

karlhorky commented 1 year ago

Hi @davidtheclark @ChristianMurphy @transitive-bullshit, thanks for this remark-lint plugin, very useful!

Would you be open to upgrading to check-links@^2.0.0?

It addresses a security vulnerability in the transitive dependency got:

transitive-bullshit commented 1 year ago

Note: this would be a major version bump. Also, check-links now uses ESM instead of commonjs.

karlhorky commented 1 year ago

@ChristianMurphy Thanks for #44, great that it got merged!

As for a release that we can expect this in, I'm guessing this will come out in a new release remark-lint-no-dead-urls@2.0.0 in the next days/weeks.

ChristianMurphy commented 1 year ago

Hey @karlhorky! 👋 Yes, the next release will be a major release (2.0.0). The release will likely be in a few weeks rather than days. There are more changes planned, updating the docs and types.

In the meantime, I assume your concern centers around what risk this poses. Most likely little to none, see https://overreacted.io/npm-audit-broken-by-design/

For this to be "exploited" through remark-lint-no-dead-urls, the bad actor would need to be able to run the linter, meaning they already have executible access to a live terminal. In which case they could already access Unix sockets directly. Saying that attacker could access something they already have access to, in a more cumbersome and round about way, isn't really an "exploit" or "security vulnerability".

I continue to hope npm audit, snyk, and other security auditing tools; will offer maintainers more and better tools to articulate the actual risk level posed by transitive dependencies.

karlhorky commented 1 year ago

I assume your concern centers around what risk this poses

Ah no, not super concerned or eager to see this get released - just mainly communicating about the version number for posterity / bookkeeping, in case anyone also runs into this, comes to this issue and wants to upgrade to the correct version - I find that it's nice to have the version in the discussion thread, and happy to be the one to post that :)

I continue to hope npm audit, snyk, and other security auditing tools; will offer maintainers more and better tools to articulate the actual risk level posed by transitive dependencies.

Yeah, would be amazing to get better tooling around this, eg. more mainstream tools to do static analysis on what code path / which vulnerable code is used where: https://twitter.com/karlhorky/status/1412401098376290308