You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 9, 2022. It is now read-only.
When I build my project, I notice that a vulnerability SNYK-JS-EJS-1049328 detected in package ejs<3.1.6 is transitively referenced by @beemo/core@1.1.8.
However, @beemo/core@1.1.8 is so popular that a large number of latest versions of active and popular downstream projects depend on it (712 downloads per week and about 81 downstream projects, e.g., @oriflame/lumos 3.1.68, @rajzik/lumos 6.0.13, @rajzik/config-eslint 4.2.6, @oriflame/config-eslint 3.3.19, @oriflame/config-webpack 3.2.39, etc.).
In this case, the vulnerability SNYK-JS-EJS-1049328 can be propagated into these downstream projects and expose security threats to them.
As you can see, @beemo/core@1.1.8 is introduced into the above projects via the following package dependency paths:
(1)@aydink/plugin-chart-table-extended@0.38.5 ➔ @airbnb/config-babel@3.1.0 ➔ @airbnb/nimbus-common@3.0.1 ➔ @beemo/core@1.1.8 ➔ hygen@5.0.3 ➔ ejs@2.7.4 ......
I know that it's kind of you to have removed the vulnerability since @beemo/core@2.0.0-rc.0. But, in fact, the above large amount of downstream projects cannot easily upgrade @beemo/core from version 1.1.8 to (>=2.0.0-rc.0):
The projects such as @airbnb/nimbus-common, which introduced @beemo/core@1.1.8, are not maintained anymore. These unmaintained packages can neither upgrade @beemo/core nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package @beemo/core@1.1.8?
Suggested Solution
Since these inactive projects set a version constaint 1.1.* for @beemo/core on the above vulnerable dependency paths, if @beemo/core removes the vulnerability from 1.1.8 and releases a new patched version @beemo/core@1.1.9, such a vulnerability patch can be automatically propagated into the downstream projects.
In @beemo/core@1.1.9, maybe you can try to perform the following upgrade: hygen ^5.0.3 ➔ ^6.0.0; Note: hygen@6.0.0(>=6.0.0) directly depends on ejs@3.1.6 which has fixed the vulnerability SNYK-JS-EJS-1049328.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards,
^_^
The text was updated successfully, but these errors were encountered:
@evansrobert Can a yarn resolution for ejs be used here?
In a somewhat related note, I built and maintained Nimbus while I was at Airbnb. Since then, I went ahead and built https://github.com/beemojs/dev, which is very similar to Nimbus. If you're ever looking to migrate away from Nimbus, I would suggest that.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi, @milesj,
Issue Description
When I build my project, I notice that a vulnerability SNYK-JS-EJS-1049328 detected in package ejs<3.1.6 is transitively referenced by @beemo/core@1.1.8.
However, @beemo/core@1.1.8 is so popular that a large number of latest versions of active and popular downstream projects depend on it (712 downloads per week and about 81 downstream projects, e.g., @oriflame/lumos 3.1.68, @rajzik/lumos 6.0.13, @rajzik/config-eslint 4.2.6, @oriflame/config-eslint 3.3.19, @oriflame/config-webpack 3.2.39, etc.).
In this case, the vulnerability SNYK-JS-EJS-1049328 can be propagated into these downstream projects and expose security threats to them.
As you can see, @beemo/core@1.1.8 is introduced into the above projects via the following package dependency paths:
(1)
@aydink/plugin-chart-table-extended@0.38.5 ➔ @airbnb/config-babel@3.1.0 ➔ @airbnb/nimbus-common@3.0.1 ➔ @beemo/core@1.1.8 ➔ hygen@5.0.3 ➔ ejs@2.7.4
......
I know that it's kind of you to have removed the vulnerability since @beemo/core@2.0.0-rc.0. But, in fact, the above large amount of downstream projects cannot easily upgrade @beemo/core from version 1.1.8 to (>=2.0.0-rc.0):
The projects such as @airbnb/nimbus-common, which introduced @beemo/core@1.1.8, are not maintained anymore. These unmaintained packages can neither upgrade @beemo/core nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package @beemo/core@1.1.8?
Suggested Solution
Since these inactive projects set a version constaint 1.1.* for @beemo/core on the above vulnerable dependency paths, if @beemo/core removes the vulnerability from 1.1.8 and releases a new patched version @beemo/core@1.1.9, such a vulnerability patch can be automatically propagated into the downstream projects.
In @beemo/core@1.1.9, maybe you can try to perform the following upgrade:
hygen ^5.0.3 ➔ ^6.0.0
;Note:
hygen@6.0.0(>=6.0.0) directly depends on ejs@3.1.6 which has fixed the vulnerability SNYK-JS-EJS-1049328.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards,
^_^
The text was updated successfully, but these errors were encountered: