Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update minimatch@3.0.4 to minimatch@3.0.5 #85

Merged
merged 2 commits into from
Oct 25, 2022
Merged

Conversation

akerpelm
Copy link
Contributor

@akerpelm akerpelm commented May 2, 2022

High severity vulnerability in minimatch@3.0.4, update to 3.0.5 per #83

Vulnerability description:
minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). It's possible to cause a denial of service when calling function braceExpand (The regex /\{.*\}/ is vulnerable and can be exploited).

FWIW: Added minimatch@3.0.5 as resolution to package.json file, recursive-readdir continues to work with this update.

high severity vulnerability in minimatch@3.0.4, update to 3.0.5
@akerpelm akerpelm changed the title Update package.json Update minimatch@3.0.4 to minimatch@3.0.5 May 2, 2022
@akerpelm
Copy link
Contributor Author

akerpelm commented May 2, 2022

@jergason sorry to reach out directly, but this vulnerability has been sitting unresolved for some time. Would you mind taking a look? Thanks

@ivantrave
Copy link

ivantrave commented Jul 14, 2022

Thanks for the fix @akerpelm !
It would be nice to have this PR merged soon to solve the high severity vulnerability.
It also would be nice if you please can take a look @jergason . Many thanks!

package.json Outdated
@@ -23,7 +23,7 @@
"node": ">=6.0.0"
},
"dependencies": {
"minimatch": "3.0.4"
"minimatch": "3.0.5"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to avoid future issues, would it make sense to use "^3.0.5" instead?

@bengm
Copy link

bengm commented Jul 21, 2022

Thank you for opening this... I was chasing down the same issue.

@bhaginath-tvpt
Copy link

bhaginath-tvpt commented Sep 6, 2022

@jergason , could you please apply this patch, it's lingering for a long time.

In our react project, react-dev-utils has a transitive dependency on recursive-readdir which uses minimatch 3.0.4 vulnerable version. Maintainer, could you please upgrade minimatch to the latest version?
It's a critical vulnerability in our application.
image

@sbley
Copy link

sbley commented Oct 19, 2022

@jergason Is there anything we can assist you to get this security fix integrated?

@jspraul
Copy link

jspraul commented Oct 20, 2022

👋 Hello from another automated dependency scan re: CVE-2022-3517!

While we wait, maybe npm overrides can help:

  "overrides": {
    "recursive-readdir@2.2.2": {
      "minimatch@3.0.4": "3.0.5"
    }
  },

If you don't mind minor updates to other dependencies, delete the package-lock.json and npm install to apply the override.

An alternative is to run npm install with a copy of package.json in an otherwise empty folder, then merge just the override back into the original package-lock.json and run npm install on it:

     "node_modules/recursive-readdir/node_modules/minimatch": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+      "version": "3.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.5.tgz",
+      "integrity": "sha512-tUpxzX0VAzJHjLu0xUfFv1gwVp9ba3IOuRAVH2EGuRW8a5emA2FlACLqiT/lDVtS1W+TGNwqz3sWaNyLgDJWuw==",
       "dependencies": {
         "brace-expansion": "^1.1.7"
       },

Good luck!

@karlhorky
Copy link

cc @bnb - saw that you are a collaborator on npm.

@imki123
Copy link

imki123 commented Oct 25, 2022

@akerpelm @jergason Please merge... minimatch@^3.0.5

@AhmedHulo
Copy link

If no owner responds we should consider forking this repository and updating the dependency.

@akerpelm
Copy link
Contributor Author

@imki123 trust me I would have merged this months ago if I had write access...

@rpoconn
Copy link

rpoconn commented Oct 25, 2022

+1 this needs to be merged.

@bnb
Copy link
Collaborator

bnb commented Oct 25, 2022

just tested this locally, tests pass - I can merge this and publish.

package.json Outdated Show resolved Hide resolved
@bnb bnb merged commit 1840d5a into jergason:master Oct 25, 2022
@karlhorky
Copy link

Thanks @bnb for the merge and publish of recursive-readdir@2.2.3 🙌

@imki123
Copy link

imki123 commented Oct 26, 2022

Thank you !! 👍

@akerpelm akerpelm deleted the patch-1 branch October 26, 2022 13:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.