search

vercel / fun

ƒun - Local serverless function λ development runtime
Apache License 2.0
482 stars 26 forks source link

update prod packages with CVE vulnerabilities #95

Closed dfrankland closed 9 months ago

dfrankland commented 11 months ago

I was using trunk check on my own repo and noticed some moderately severe vulnerabilities with the dependencies of @vercel/fun:

  ISSUES

pnpm-lock.yaml:175:0
  175:0  medium  Vulnerability in 'debug': nodejs-debug: Regular expression Denial of Service. Current version is vulnerable: 4.1.1. Patch available: upgrade to 2.6.9, 3.1.0, 3.2.7, 4.3.1   trivy/CVE-2017-16137
 3517:0  medium  Vulnerability in 'semver': Regular expression denial of service. Current version is vulnerable: 7.3.5. Patch available: upgrade to 7.5.2, 6.3.1, 5.7.2 or higher.            trivy/CVE-2022-25883

You can find these with pnpm audit --prod too

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ semver vulnerable to Regular Expression Denial of      │
│                     │ Service                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ semver                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.0.0 <7.5.2                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │                                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Regular Expression Denial of Service in debug          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ debug                                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <4.3.1                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.3.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │                                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-gxpj-cx7g-858c      │
└─────────────────────┴────────────────────────────────────────────────────────┘
2 vulnerabilities found
Severity: 2 moderate
roopakv commented 11 months ago

@cb1kenobi any chance you could take a look and maybe merge + publish a new version :)

github-actions[bot] commented 9 months ago

:tada: This PR is included in version 1.1.1 :tada:

The release is available on:

Your semantic-release bot :package::rocket: