Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump es5-ext in /packages/cubejs-query-orchestrator to address security advisory #7884

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): bump es5-ext in /packages/cubejs-query-orchestrator to address security advisory #7884

wants to merge 1 commit into from

Conversation

adamstruck
Copy link

I was running into this security alert in my project due to the pinned version in this package.

es5-ext vulnerable to Regular Expression Denial of Service in function#copy and function#toStringTokens

Impact

Passing functions with very long names or complex default argument names into function#copy orfunction#toStringTokens may put script to stall

Patches

Fixed with medikoo/es5-ext@3551cdd and medikoo/es5-ext@a52e957
Published with v0.10.63

Workarounds

No real workaround aside of refraining from using above utilities.

References

medikoo/es5-ext#201

References

GHSA-4gmj-3p3h-gm8h
https://nvd.nist.gov/vuln/detail/CVE-2024-27088
medikoo/es5-ext#201
medikoo/es5-ext@3551cdd
medikoo/es5-ext@a52e957

@adamstruck
Address es5-ext security advisory
8e8e43e 
es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`

GHSA-4gmj-3p3h-gm8h
@adamstruck adamstruck requested a review from a team as a code owner March 8, 2024 18:29
@vercel Vercel
Copy link

vercel bot commented Mar 8, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

8 Ignored Deployments
Name Status Preview Comments Updated (UTC)
examples-angular-dashboard ⬜️ Ignored (Inspect) Visit Preview Mar 8, 2024 6:30pm
examples-react-d3 ⬜️ Ignored (Inspect) Visit Preview Mar 8, 2024 6:30pm
examples-react-dashboard ⬜️ Ignored (Inspect) Visit Preview Mar 8, 2024 6:30pm
examples-react-data-table ⬜️ Ignored (Inspect) Visit Preview Mar 8, 2024 6:30pm
examples-react-highcharts ⬜️ Ignored (Inspect) Visit Preview Mar 8, 2024 6:30pm
examples-react-material-ui ⬜️ Ignored (Inspect) Visit Preview Mar 8, 2024 6:30pm
examples-react-pivot-table ⬜️ Ignored (Inspect) Visit Preview Mar 8, 2024 6:30pm
examples-vue-query-builder ⬜️ Ignored (Inspect) Visit Preview Mar 8, 2024 6:30pm

@github-actions github-actions bot added the pr:community Contribution from Cube.js community members. label Mar 8, 2024
@adamstruck adamstruck changed the title Address es5-ext security advisory chore(deps): bump es5-ext in /packages/cubejs-query-orchestrator to address security advisory Mar 8, 2024
@ovr
Copy link
Member

ovr commented Mar 18, 2024

This dependency is locked due to #4257

The author of this library misuses opportunities from postinstall script to spam logs https://github.com/medikoo/es5-ext/blob/main/_postinstall.js

medikoo/es5-ext#116

@ovr ovr self-assigned this Mar 19, 2024
@codecov Codecov
Copy link

codecov bot commented Mar 19, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 47.91%. Comparing base (cd67a7c) to head (8e8e43e).
Report is 57 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff             @@
##           master    #7884       +/-   ##
===========================================
- Coverage   68.14%   47.91%   -20.24%     
===========================================
  Files         348      154      -194     
  Lines       58971    21011    -37960     
  Branches     5262     5262               
===========================================
- Hits        40186    10067    -30119     
+ Misses      18585    10744     -7841     
  Partials      200      200
Flag Coverage Δ
cube-backend 47.91% <ø> (ø)
cubesql ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ovr ovr

Labels
pr:community Contribution from Cube.js community members.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adamstruck @ovr