search

zazoomauro / node-dependency-injection

The NodeDependencyInjection component allows you to standarize and centralize the way objects are constructed in your application.
https://github.com/zazoomauro/node-dependency-injection/wiki
MIT License
276 stars 34 forks source link

babel/traverse <7.23.2 critical vulnerability #205

Open boly38 opened 1 year ago

boly38 commented 1 year ago

Hi it seems that in order to fix indirect critical issue in deps, there is a need to update @babel/plugin-transform-runtime to @babel/plugin-transform-runtime@7.23.2 (source)

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92

  └─┬ @babel/plugin-transform-runtime@7.19.6
    └─┬ @babel/core@7.19.6
      ├─┬ @babel/helper-module-transforms@7.19.6
      │ └── @babel/traverse@7.19.6 deduped
      ├─┬ @babel/helpers@7.19.4
      │ └── @babel/traverse@7.19.6 deduped
      └── @babel/traverse@7.19.6

forcing resolution to 7.23.2 fix the issue for me as workaround

zazoomauro commented 3 months ago

@boly38 feel free to ask for a PR

boly38 commented 2 months ago

hi, I look at it (under wsl2 because file with : prevent checkout from windows side) but there is too much deps structure to update and need a good understanding of underlying business/test. Sorry, I wont do a PR. Regards