sindresorhus / cpy

Copy files
MIT License
425 stars 63 forks source link

cpy has transitive dependencies with a CVE vulnerability #98

Closed isuftin closed 2 years ago

isuftin commented 2 years ago

cpy depends on globby @ ^12.0.2. Following the dependency chain, this also pulls in globby @ 9.2.0. That version of globby depends on fast-glob which depends on glob-parent at a specific version with a vulnerability.

| +-- globby@9.2.0
| | +-- @types/glob@7.2.0
| | | +-- @types/minimatch@3.0.5
| | | `-- @types/node@16.11.9
| | +-- array-union@1.0.2
| | | `-- array-uniq@1.0.3
| | +-- dir-glob@2.2.2
| | | `-- path-type@3.0.0
| | |   `-- pify@3.0.0
| | +-- fast-glob@2.2.7
| | | +-- @mrmlnc/readdir-enhanced@2.2.1
| | | | +-- call-me-maybe@1.0.1
| | | | `-- glob-to-regexp@0.3.0
| | | +-- @nodelib/fs.stat@1.1.3
| | | +-- glob-parent@3.1.0 <---
| | | | +-- is-glob@3.1.0
| | | | | `-- is-extglob@2.1.1 deduped
| | | | `-- path-dirname@1.0.2
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| glob-parent | CVE-2020-28469   | HIGH     | 3.1.0             | 5.1.2         | nodejs-glob-parent: Regular           |
|             |                  |          |                   |               | expression denial of service          |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28469 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+

The latest version of globby has a dependency tree which does pull in a fixed version of glob-parent.

jj05y commented 2 years ago

@SimonSiefke - can this be bumped?

iiLearner commented 2 years ago

is there any update on this? we have dependabot alerts with high severity.

mheob commented 2 years ago

@sindresorhus The updated dependencies are already included in the project. Is anything still blocking the release of a new version? Can we help in any way?

sindresorhus commented 2 years ago

It's blocked by https://github.com/sindresorhus/cpy/pull/92

ryami333 commented 2 years ago

@sindresorhus is it actually truly blocked by that PR - or does that PR just happen to address the issue, amongst other things? Wondering because that PR seems to have stalled, and this remains a "high severity" CVE alert, months on. It either needs a new champion, or for the transitive dependency aspects to be cherry-picked.

rchisholm commented 2 years ago

any update on this? it's the only vulnerability we have for several months

sindresorhus commented 2 years ago

https://github.com/sindresorhus/cpy/releases/tag/v9.0.0