search

semantic-release / changelog

:blue_book: semantic-release plugin to create or update a changelog file
MIT License
304 stars 28 forks source link

High Security Finding Tar 6.2.0 #405

Closed karlderkaefer closed 3 weeks ago

karlderkaefer commented 3 weeks ago

There is a high security finding detected

https://github.com/advisories/GHSA-f5x3-32g6-xq36

1 Known Vulnerability
npmjs: tar/6.2.0

node-tar is vulnerable to a denial-of-service (DoS) condition due to missing limits on sub-folder creation during the folder creation process. An attacker could exploit this by generating a large number of sub-folder in order to consume memory on the system running node-tar and or to crash the Node.js client.

Solution - Fix Available Fixed in 6.2.1 by this commit.

karlderkaefer commented 3 weeks ago 
tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install semantic-release@24.2.0, which is a breaking change
node_modules/npm/node_modules/tar
  npm  <=10.5.0
  Depends on vulnerable versions of tar
  node_modules/npm
    @semantic-release/npm  5.0.0 - 10.0.6
    Depends on vulnerable versions of npm
    node_modules/@semantic-release/npm
      semantic-release  15.9.4 - 22.0.0-beta.9
      Depends on vulnerable versions of @semantic-release/npm
      node_modules/semantic-release

14 vulnerabilities (11 moderate, 3 high)

To address issues that do not require attention, run:
  npm audit fix
travi commented 3 weeks ago

This should be fixable in your own project by updating your lockfile. Also worth noting that the proposed change would not impact consumers, so a lockfile update would still be necessary in your project.

karlderkaefer commented 3 weeks ago

Yes it's fixable in our lockfiles with npm overrides. Since we have a lot projects using this library, I was hoping there is a possibility to upgrade the transitive dependency in this project, so that we can do the upgrade with renovate by increasing version of semantic release changelog. I'm not experienced in npm, can you describe want we would be needed to achieve this?

travi commented 3 weeks ago

so that we can do the upgrade with renovate

renovate support is beyond what we directly provide here, but i highly recommend looking into https://docs.renovatebot.com/configuration-options/#lockfilemaintenance as that will help you avoid your lockfile growing stale.