search

semantic-release / npm

:ship: semantic-release plugin to publish a npm package
MIT License
244 stars 114 forks source link

Security Issue with out of date tar@6.2.0 found with SNYK #784

Closed jebarpg closed 5 months ago

jebarpg commented 5 months ago

Fixed in: @6.2.1 | Exploit maturity: MEDIUM

Overview

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the lack of folders count validation during the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running the software and even crash the client within few seconds of running it using a path with too many sub-folders inside.

Remediation Upgrade tar to version 6.2.1 or higher.

@semantic-release/npm@12.0.0
│ └─┬ npm@10.5.0
│   ├─┬ cacache@18.0.2
│   │ └── tar@6.2.0 deduped
│   ├─┬ libnpmdiff@6.0.7
│   │ └── tar@6.2.0 deduped
│   ├─┬ node-gyp@10.0.1
│   │ └── tar@6.2.0 deduped
│   ├─┬ pacote@17.0.6
│   │ └── tar@6.2.0 deduped
│   └── tar@6.2.0
├─┬ cacache@18.0.2 extraneous
│ └── tar@6.2.0 deduped
├─┬ libnpmdiff@6.0.7 extraneous
│ └── tar@6.2.0 deduped
├─┬ node-gyp@10.0.1 extraneous
│ └── tar@6.2.0 deduped
├─┬ pacote@17.0.6 extraneous
│ └── tar@6.2.0 deduped
└── tar@6.2.0 extraneous

Seems like npm needs to be updated to a higher version to resolve this issue.

travi commented 5 months ago

first of all, for security related concerns, please follow our security policy in the future.

npm needs to be updated to a higher version

you can already make this update in your project with no change to this project since we depend on npm as a range, rather than as a specific version. this is also one of the reasons we recommend installing and running with npx rather than capturing semantic-release as a dependency in your project. in your case, your lockfile is resulting in pulling old version when there is already a fix available for this concern.

since this is already solvable without us releasing an update, I'm going to close this with the recommendation to update your lockfile or to switch to using npx instead.

jebarpg commented 5 months ago

first of all, for security related concerns, please follow our security policy in the future.

npm needs to be updated to a higher version

you can already make this update in your project with no change to this project since we depend on npm as a range, rather than as a specific version. this is also one of the reasons we recommend installing and running with npx rather than capturing semantic-release as a dependency in your project. in your case, your lockfile is resulting in pulling old version when there is already a fix available for this concern.

since this is already solvable without us releasing an update, I'm going to close this with the recommendation to update your lockfile or to switch to using npx instead.

Thank you for informing me. I have updated my environment as well as fixed the project I'm maintaining package.json script for updating npm to keep up to date.

Your help is much appreciated.

Cheers!

BriceShatzer commented 5 months ago

no change to this project since we depend on npm as a range, rather than as a specific version.

@travi but the range you are allowing includes a version with a known vulnerability. Why not fix the issue?