Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stylelint-config-airbnb package's dep includes high priority vulnerability #84

Open
ux-engineer opened this issue Aug 17, 2019 · 12 comments
Open

stylelint-config-airbnb package's dep includes high priority vulnerability #84

ux-engineer opened this issue Aug 17, 2019 · 12 comments

Comments

@ux-engineer
Copy link

Could you please update stylelint-config-airbnb package's dependencies, as these include high priority vulnerabilities?

npm audit

  High            Prototype Pollution                                           

  Package         lodash                                                        

  Patched in      >=4.17.11                                                     

  Dependency of   stylelint-config-airbnb [dev]                                 

  Path            stylelint-config-airbnb > editorconfig-tools > lodash         

  More info       https://npmjs.com/advisories/782                              


  High            Prototype Pollution                                           

  Package         lodash                                                        

  Patched in      >=4.17.12                                                     

  Dependency of   stylelint-config-airbnb [dev]                                 

  Path            stylelint-config-airbnb > editorconfig-tools > lodash         

  More info       https://npmjs.com/advisories/1065                             


  Moderate        Regular Expression Denial of Service                          

  Package         underscore.string                                             

  Patched in      >=3.3.5                                                       

  Dependency of   stylelint-config-airbnb [dev]                                 

  Path            stylelint-config-airbnb > editorconfig-tools > argparse >     
                  underscore.string                                             

  More info       https://npmjs.com/advisories/745
@ljharb
Copy link
Collaborator

ljharb commented Aug 17, 2019

There is zero risk here, since editorconfig-tools is a dev dep and only ran by devs of the package, so there’s nothing that needs doing.

It could be updated to use eclint, but that would only impact the < 3 developers who touch this project.

@ljharb ljharb closed this as completed Aug 17, 2019
@ux-engineer
Copy link
Author

@ljharb couldn't you just upgrade editorconfig-tools dependency's version to a higher one (if it has this lodash dep version upgraded to higher also)...?

A couple or so months ago many packages were giving this kind of high vuln alert because of an unpatched Lodash version dep...but those seem to have vanished now that packages have been updated.

When doing enterprise level application development with high security requirements, we are not happy to get notified of this kind of vulns even it's about only-dev-time dependency.

Neither does version tag "0.0.0" look trusthworthy considering the potential popularity of this package, so that's an another reason to do a dep upgrades update :)

@ntwb
Copy link

ntwb commented Aug 20, 2019
edited
Loading

FYI: It's actually a dependency, not a devDependency, but thats moot IMHO.

@envision from what I've looked at this stylelint config is no longer maintained, so the "potential popularity" of this package is also moot.

If you like the rules currently used, then fork the package as it is MIT licensed and you can tweak it to your personal preferences.

I'd also suggest taking a look at either of these widely used stylelint configs:
https://www.npmjs.com/package/stylelint-config-recommended
https://www.npmjs.com/package/stylelint-config-standard

@ljharb
Copy link
Collaborator

ljharb commented Aug 29, 2019

Given that it's a runtime dep, then sure, we could switch it to eclint.

@ljharb ljharb reopened this Aug 29, 2019
@ashleyryan
Copy link

npm audit is also reporting this moderate issue https://www.npmjs.com/advisories/745 from this package

@jasonxxp
Copy link

Given that it's a runtime dep, then sure, we could switch it to eclint.

look forward to switch it

@oprudkyi
Copy link

Hi, any updates on this ?
Github Dependabot is spamming with alert about underscore.string version < 3.3.5, and only this package depends on it.

@ljharb
Copy link
Collaborator

ljharb commented Nov 21, 2020

Nope, no updates. You can tell GitHub to stop complaining about the warning in the meantime :-)

@dzienisz
Copy link

dzienisz commented Aug 4, 2022

@ljharb I don't understand this approach, just update the deps or open merging requests to community.

@ljharb
Copy link
Collaborator

ljharb commented Aug 4, 2022

@dzienisz merging of what? Nobody’s sent a PR, which suggests it’s not important.

@dzienisz
Copy link

dzienisz commented Aug 8, 2022

I don't know how to answer that. You have 10 PRs that are not merged. Do you want another one to have a bigger pile of PRs?

@ljharb
Copy link
Collaborator

ljharb commented Aug 8, 2022

Most of those are for translations, and two of them I just closed because they were unexplained changes. PR counts are irrelevant; even if there were 10,000 open PRs, you should still send a PR to a project if you want something prioritized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@ljharb @ntwb @ux-engineer @oprudkyi @dzienisz @jasonxxp @ashleyryan and others