Npm Audit fails

[zabibabar]

Moderate Regular Expression Deinal of Service

Package hosted-git-info

Patched in >=3.0.8

Dependency of eslint-plugin-import [dev]

Path eslint-plugin-import > read-pkg-up > read-pkg >
normalize-package-data > hosted-git-info

More info https://npmjs.com/advisories/1677

[Sampath-Lokuge]

I also has the same issue: https://stackoverflow.com/questions/67423118/regular-expression-deinal-of-service-hosted-git-info

[ljharb]

Like most CVEs, this is a false positive, since the content comes from your own package.json.

Either way, the place to file this issue is in normalize-package-date or hosted-git-info, not anywhere else.

[mgwalker]

This issue is actually in eslint-plug-import because it relies on read-pkg-up@^2.0.0:

https://github.com/benmosher/eslint-plugin-import/blob/master/package.json#L113

Here's the dependency tree:

eslint-plugin-import@2.22.1
|__ read-pkg-up@2.0.0
    |__ read-pkg@2.0.0
        |__ normalize-package-data@2.5.0
            |__ hosted-git-info@2.8.9

That dependency on read-pkg-up@2.0.0 prevents users of this library from getting a newer version of hosted-git-info. The entire dependency chain could be updated at once by using a newer version of read-pkg-up, which is up to 8.0.0 now. Until eslint-plugin-import updates its dependency on read-pkg-up, everyone who uses it will get npm audit and GitHub security alerts (along with other static analysis tools) because they will necessarily depend on a known-vulnerable version of hosted-git-info.

[ljharb]

@mgwalker that's not how the ecosystem works. The affected package is an implementation detail of normalize-package-data, which is an implementation detail of read-pkg, which is an implementation detail of read-pkg-up.

Unfortunately, vulnerability warnings are breaking the abstraction here, but that still doesn't make it something we can fix. read-pkg-up can unfortunately never be upgraded here, because higher versions drop support for node versions we continue to support.

Most of these audit/security alerts are false positives; this is a sad reality of the incentives in the security ecosystem. In this case, the "vulnerability" would be that you'd have to have a package.json on your own machine, in your own code, that contained a malicious URL, and the damage caused would be no broader than "your linter would run forever, and CI would time out". It's a non-problem.

If you can provide an alternative package (not read-pkg-up) that has the same platform support as read-pkg-up v2, I'll be happy to switch to it.

[mgwalker]

I get it; I really do. And I won't belabor the point, but all of those things are also implementation details to the users of this library, and for all intents and purposes, this library is the source of this particular vulnerability for us. I sympathize with your position, though, supporting such a widely-used library across a broad platform base. And your point is well taken; there's no fix.

[ljharb]

@mgwalker i've just heard from npm folks that hosted-git-info v2.8.9 actually fixes the vulnerability, and that they're working on updating the CVE now. Once that's done, it looks like the warning will just magically go away for everyone who's updated :-)

[Sampath-Lokuge]

@ljharb Sorry, I didn't get this? it looks like the warning will just magically go away for everyone who's updated What should I do/update here? I use the Angular app.

[ljharb]

@Sampath-Lokuge you should wait until the CVE is updated, and npm and github and other tools pick up the change, at which point the warning for those who have fully updated will vanish. This might take hours, or weeks, I have no idea.

[fabb]

Usually it only takes hours. currently 2.8.9 is still marked as affected, let's see when this changes: https://www.npmjs.com/advisories/1677/versions

[lydell]

2.8.9 is now marked as unaffected! I just got a PR from Dependabot silencing the alert.