Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vulnerable packages #763

Closed
rorymckinley opened this issue Sep 5, 2024 · 8 comments
Closed

Update vulnerable packages #763

rorymckinley opened this issue Sep 5, 2024 · 8 comments

Comments

@rorymckinley
Copy link
Contributor

rorymckinley commented Sep 5, 2024
edited
Loading

This is a bundle issue to cover upgrading issues picked up as a combination pnpm audit and dependabot. Each upgrade will be covered by a comment on the issue, covering the reasoning for the upgrade.
@rorymckinley rorymckinley changed the title Update vulnerable version of decode-uri-component Update vulnerable packages Sep 5, 2024
@rorymckinley
Copy link
Contributor Author

decode-uri-component:

This library is only used by devDependencies, so hopefully a safe change to make . The version to be upgraded is 0.2.0 will upgrade to 0.2.2 which has been out for almost 2 years.

@rorymckinley
Copy link
Contributor Author

rorymckinley commented Sep 5, 2024
edited
Loading

braces:

"if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop" - per GHSA-grv7-fg5c-xmjg.

braces is used by a lot of prod dependencies but, given that we execute what is essentially untrusted code :), it feels prudent to apply the patch version bump. The updated version has been out since May.

Unfortunately, braces can not be completely expunged as there is not a newer version of live-server available. This is not the end of the world as it is a devDependency but it will cause noise - so perhaps worth considering a switch to https://github.com/ljcp/alive-server.

@josephjclark
Copy link
Collaborator

@rorymckinley live-server is only used by an out of date ad unused dev server. We can just remove it and maybe fix the server later (i don't think the demo even needs it).

I'll raise an issue to fix / update the dev demo. You can just remove the live-server dependency.

@rorymckinley
Copy link
Contributor Author

Note to self: When submitting the PR, add 'alarming comments' re: the ws update as we jumped several minor versions.

@rorymckinley
Copy link
Contributor Author

Updated typesync - bumped up two minor versions as it was depending on ip which does not have a patch for the latest version and no patch on the horizon. typesync is a devDependency.

@rorymckinley
Copy link
Contributor Author

postcss: Vulnerability relates to parsing of untrusted CSS - also only a devDependency.

@rorymckinley
Copy link
Contributor Author

micromatch - vulnerable to regex DOS - used in a number of prod dependencies, but only 3 patch version bump needed to get a non-vulnerable version.

@rorymckinley
Copy link
Contributor Author

word-wrap: devDependency vulnerable to a regex DOS.

@rorymckinley rorymckinley mentioned this issue Sep 5, 2024
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
v2
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rorymckinley @josephjclark