search

simonhaenisch / md-to-pdf

Hackable CLI tool for converting Markdown files to PDF using Node.js and headless Chrome.
https://www.npmjs.com/md-to-pdf
MIT License
1.16k stars 110 forks source link

volernability issue - minimatch library version 3.0.4 is not safe #151

Closed hadasmeitav closed 1 year ago

hadasmeitav commented 1 year ago

Context:

As a sub-dependency, you're using serve-handler library, which uses minimatch library. minimatch 3.0.4 version is volernable. Can we update serve-handler version so that this vulnerability issue won't apply to my code?

Thanks in advance 🙏

simonhaenisch commented 1 year ago

Ok but just so you're aware there's no way to actually exploit this vulnerability since as an end user you don't have any control over the input that is vulnerable (requested path). So in that sense this vulnerability doesn't apply to your code already.

These vulnerability reports are generally overrated, and it would be appreciated if you only open an issue about it if you can confirm that the vulnerability is relevant (:

hadasmeitav commented 1 year ago

you're right, but nevertheless my company can't pass the external security inspection because of this...

simonhaenisch commented 1 year ago

I just checked... 1) there are no updates available for serve-handler, and 2) I don't even have this vulnerable minimatch version installed in this project... as you can see here:

https://github.com/simonhaenisch/md-to-pdf/blob/b3ffa7da65f391a481fe02f7475caa65de8221e6/package-lock.json#L17180-L17187

This defines 3.1.2 as the version to be installed/used, and in the following lines you can see that this is also the version that serve-handler requires:

https://github.com/simonhaenisch/md-to-pdf/blob/b3ffa7da65f391a481fe02f7475caa65de8221e6/package-lock.json#L17180-L17187

What you probably have is that your own lock-file has this outdated minimatch version pinned... I assume you can fix this by running npm upgrade (or yarn upgrade would be equivalent) without any arguments, which will upgrade all available package updates that are in-range for your project. Or if you don't want to touch everything, you can try npm upgrade minimatch as well.

BTW if your company benefits from this project and would be able to sponsor me even in the slightest form, that would be greatly appreciated and mean that I can more actively support you (: