Closed arderyp closed 3 years ago
multicast-dns
patched their dns-packet
dependency. Updating to "multicast-dns": "^7.2.3"
should do the trick.
This is a potentially breaking change though as current version is: "multicast-dns": "^6.0.1"
@croraf, yes, that's correct. I also notice this project hasn't been touched in 5 years. Hopefully it's still being actively monitored and maintained. Paging @watson
yep it seems @croraf was correct. but the breaking changes were trivial to fix for. ready to go: https://github.com/watson/bonjour/pull/64
This is fixed in dns-packet v1 which this is tracking, trying to get them to update the advisory to create less noise.
@mafintosh, are you saying the latest version of this package (and thus dns-packet@1.3.1
is not actually vulnerable to the aforementioned CVE? If so, that'll be the second inaccurate CVE vulnerability warning from GitHub that I've seen in the past week.
@arderyp no i backported the fix to v1 to make it easy for people to get the fix without changing their semvers
Here is the issue stating it's fixed in mafintosh/multicast-dns/issues/75 I think dns-packet 1.3.4 has the fix
thanks @mafintosh. I was able to pull 1.3.4
successfully. GH still shows that as a vulnerable version, but I suppose that's what you were referencing when you said you were trying to get GH to update the advisory (to include 1.3.4
as non-vulnerable). Thanks again.
@arderyp yea, i contacted SNYK today to get them to update their db and they promised to do that today (crossing my fingers that'll happen soon)
looks like they've done it. No more warning over here :)
back-ported dns-packet@1.3.4
provides the fix and does not require downstream versioning. A simple yarn upgrade should resolve the vulnerability now.
Wait, why is this closed? Version 3.5 (latest) still has the issue...
Run yarn upgrade
. You should notice your dns-packet
jump to version 1.3.4
. Thanks to @mafintosh, that fixes the CVE vulnerability exposure to multicast-dns
, and thus to the latest version here. Push that to GH and you'll see the vulnerability warning disappear.
If the maintainers or others want to create a new issue for upgrading from multicast-dns
6.x to 7.x, you should open a separate issue for that specific task. This issue is simply about resolving the CVE exposure, which is now done.
CVE-2021-23386
the current multicast-dns dependency version relies on an ancient version of dns-packet that is vulnerable to CVE-2021-23386
https://github.com/watson/bonjour/blob/master/package.json#L11
RELATED: