Skip to content

Update version range for GHSA-f46r-rw29-r322 #5483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
brophdawg11 wants to merge 2 commits into from
Closed

Update version range for GHSA-f46r-rw29-r322 #5483

brophdawg11 wants to merge 2 commits into from

Conversation

@brophdawg11
Copy link

@brophdawg11 brophdawg11 commented Apr 25, 2025

This is an update to the last_known_affected_version_range field for GHSA-f46r-rw29-r322.

We missed that the original advisory we received and subsequently published did not have a lower version bound, which is causing tools like npm audit to report false positives for the vulnerability on unaffected versions (v6 and below).

We have since updated the affected version via the Security UI in our repo, and it seems those updates have propagated to the introduced fields (here), but tools like npm audit are still reporting the vulnerability on versions below v7.

On a closer look we noticed the last_known_affected_version_range field still seemed to have the old version without the lower bound, so this updates that field hoping it will resolve the npm audit issues.

Copilot AI review requested due to automatic review settings April 25, 2025 15:14
Copilot AI reviewed Apr 25, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)

@github-actions github-actions bot changed the base branch from main to brophdawg11/advisory-improvement-5483 April 25, 2025 15:15
@shelbyc
Copy link
Contributor

shelbyc commented Apr 25, 2025

👋 Hi @brophdawg11, I showed this PR and #5484 to colleagues of mine who work on npm audit. Another PR from last week (#5461) reported an issue with an advisory update not propagating to npm audit in a different npm package.

In the meantime, users who approach you about alerts they're getting in npm audit can check for caching issues or vulnerable indirect dependencies to see if that changes anything about the alerts they're getting.

Thanks for raising awareness of something you saw with respect to GHSA-f46r-rw29-r322 and GHSA-cpj6-fhp6-mr6j in npm audit and have a great weekend!

@brophdawg11
Copy link
Author

brophdawg11 commented Apr 25, 2025

Thanks for the follow up! I just tried again and this does look like it was a caching issue, all looks good now:

> npm i react-router@latest

added 5 packages, and audited 6 packages in 849ms

found 0 vulnerabilities
> npm audit
found 0 vulnerabilities
> npm i react-router@7.5.1

changed 1 package, and audited 6 packages in 835ms

1 high severity vulnerability

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
> npm audit
# npm audit report

react-router  7.0.0-pre.0 - 7.5.1
Severity: high
React Router allows pre-render data spoofing on React-Router framework mode - https://github.com/advisories/GHSA-cpj6-fhp6-mr6j
React Router allows a DoS via cache poisoning by forcing SPA mode - https://github.com/advisories/GHSA-f46r-rw29-r322
fix available via `npm audit fix`
node_modules/react-router

1 high severity vulnerability

To address all issues, run:
  npm audit fix
> npm i react-router@6

added 1 package, removed 3 packages, changed 1 package, and audited 4 packages in 879ms

found 0 vulnerabilities
> npm audit
found 0 vulnerabilities

I was able to reproduce this morning on a fresh npm init -y project using react-router@6. I also tried npm cache clean --force this morning without and luck. Do you happen to have any idea what the expected time to propagate an update to a github advisory through to npm audit should be? I updated the ranges last night via the Github UI and was a bit surprised to get reports this morning 12+ hours later?

Let me know if I should close these PRs or if it's still useful to update the last_known_affected_version_range field. Thanks!

@shelbyc
Copy link
Contributor

shelbyc commented Apr 25, 2025
edited
Loading

@brophdawg11 Thanks for the follow-up! I'll answer the questions in a quote-and-response format:

I was able to reproduce this morning on a fresh npm init -y project using react-router@6. I also tried npm cache clean --force this morning without and luck. Do you happen to have any idea what the expected time to propagate an update to a github advisory through to npm audit should be? I updated the ranges last night via the Github UI and was a bit surprised to get reports this morning 12+ hours later?

My job is related to advisory content rather than advisory database engineering or npm engineering, so I can't give an answer more precise than "it depends," especially when you're talking about a popular package, where lots of alerts get issued to lots of users who are using lots of different systems. 😅

Let me know if I should close these PRs or if it's still useful to update the last_known_affected_version_range field. Thanks!
Go ahead and close the PRs. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brophdawg11 @shelbyc