You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, @MikeRalphson, I stumbled upon a high severity vulnerability introduced by package ajv@5.5.2:
Issue Description
When I build my project, I notice that a vulnerability(high severity) CVE-2020-15366 detected in package ajv<6.12.3 is directly referenced by oas-validator@4.0.8.
However, oas-validator@4.0.8 is so popular that a large number of latest versions of active and popular downstream projects depend on it (79,470 downloads per week and about 42 downstream projects, e.g., @redocly/developer-portal 1.0.0-beta.161, @redocly/reference-docs-lib 1.3.26, @redocly/redoc-int 2.0.0-rc.62, @mojaloop/central-services-shared 13.0.5, @adobe/parliament-ui-components 4.6.2, etc.).
In this case, the vulnerability CVE-2020-15366 can be propagated into these downstream projects and expose security threats to them.
As you can see, oas-validator@4.0.8 is introduced into the above projects via the following package dependency paths:
(1)@adobe/gatsby-theme-aio@3.15.0 ➔ @adobe/parliament-site-search-index@0.0.4 ➔ widdershins@4.0.1 ➔ swagger2openapi@6.2.3 ➔ oas-validator@4.0.8 ➔ ajv@5.5.2 ......
I know that it's kind of you to have removed the vulnerability since oas-validator@5.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade oas-validator from version 4.0.8 to (>=5.0.0):
The projects such as widdershins, which introduced oas-validator@4.0.8, are not maintained anymore. These unmaintained packages can neither upgrade oas-validator nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package oas-validator@4.0.8 ?
Suggested Solution
Since these inactive projects set a version constaint 4.0.* for oas-validator on the above vulnerable dependency paths, if oas-validator removes the vulnerability from 4.0.8 and releases a new patched version oas-validator@4.0.9, such a vulnerability patch can be automatically propagated into the downstream projects.
In oas-validator@4.0.9, maybe you can try to perform the following upgrade: ajv ^5.5.2 ➔ ^6.12.3; Note: ajv@6.12.3(>=6.12.3) has fixed the vulnerability CVE-2020-15366.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards,
^_^
The text was updated successfully, but these errors were encountered:
widdershins is still maintained, and the next release will use the latest version of oas-validator. I'm not sure why any other projects would have problems migrating to the later version, unless you have specific information?
@MikeRalphson Thank you for your feedback. Since the latest version(4.0.1) of widdershins was released a year ago, I mistakenly assumed it was no longer maintained. Of course, if you can kindly release a new pached version widdershins@4.0.2 which uses the latest version of oas-validator, such a vulnerability patch can also be automatically propagated into the downstream projects. And please let me know that. Thanks again.^_^
Hi, @MikeRalphson, I stumbled upon a high severity vulnerability introduced by package ajv@5.5.2:
Issue Description
When I build my project, I notice that a vulnerability(high severity) CVE-2020-15366 detected in package ajv<6.12.3 is directly referenced by oas-validator@4.0.8.
However, oas-validator@4.0.8 is so popular that a large number of latest versions of active and popular downstream projects depend on it (79,470 downloads per week and about 42 downstream projects, e.g., @redocly/developer-portal 1.0.0-beta.161, @redocly/reference-docs-lib 1.3.26, @redocly/redoc-int 2.0.0-rc.62, @mojaloop/central-services-shared 13.0.5, @adobe/parliament-ui-components 4.6.2, etc.).
In this case, the vulnerability CVE-2020-15366 can be propagated into these downstream projects and expose security threats to them.
As you can see, oas-validator@4.0.8 is introduced into the above projects via the following package dependency paths:
(1)
@adobe/gatsby-theme-aio@3.15.0 ➔ @adobe/parliament-site-search-index@0.0.4 ➔ widdershins@4.0.1 ➔ swagger2openapi@6.2.3 ➔ oas-validator@4.0.8 ➔ ajv@5.5.2
......
I know that it's kind of you to have removed the vulnerability since oas-validator@5.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade oas-validator from version 4.0.8 to (>=5.0.0):
The projects such as widdershins, which introduced oas-validator@4.0.8, are not maintained anymore. These unmaintained packages can neither upgrade oas-validator nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package oas-validator@4.0.8 ?
Suggested Solution
Since these inactive projects set a version constaint 4.0.* for oas-validator on the above vulnerable dependency paths, if oas-validator removes the vulnerability from 4.0.8 and releases a new patched version oas-validator@4.0.9, such a vulnerability patch can be automatically propagated into the downstream projects.
In oas-validator@4.0.9, maybe you can try to perform the following upgrade:
ajv ^5.5.2 ➔ ^6.12.3
;Note:
ajv@6.12.3(>=6.12.3) has fixed the vulnerability CVE-2020-15366.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards,
^_^
The text was updated successfully, but these errors were encountered: