Skip to content

CVE-2022-38900 fix for npm v6 #6010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
c3ivodujmovic wants to merge 41 commits into from
Closed

CVE-2022-38900 fix for npm v6 #6010

c3ivodujmovic wants to merge 41 commits into from

Conversation

@c3ivodujmovic
Copy link

@c3ivodujmovic c3ivodujmovic commented Dec 31, 2022
edited
Loading

query-string@7.1.3 see GHSA-5698-6q73-gp8h

darcyclarke and others added 30 commits November 14, 2022 16:20
@c3ivodujmovic c3ivodujmovic requested a review from a team as a code owner December 31, 2022 01:57
@c3ivodujmovic c3ivodujmovic mentioned this pull request Dec 31, 2022
Closed
@nitindudeja2107 nitindudeja2107 mentioned this pull request Jan 1, 2023
Closed
2 tasks
@wraithgar wraithgar closed this Jan 2, 2023
@c3ivodujmovic
Copy link
Author

c3ivodujmovic commented Jan 18, 2023

@wraithgar @ruyadorno what do you guys recommend is the best way to address this issue?

@lukekarrys
Copy link
Contributor

lukekarrys commented Jan 18, 2023

the npm team will audit the vulnerability and create a release for v6 if necessary. currently v6 is only being released with urgent security fixes.

@c3ivodujmovic
Copy link
Author

c3ivodujmovic commented Jan 18, 2023
edited
Loading

Thanks @lukekarrys . Tell me if there is anything I can help.

Background
High CVE https://nvd.nist.gov/vuln/detail/CVE-2022-38900 Improper Input Validation resulting in DoS
Fixed via decode-uri-component update from 0.2.0 to 0.2.1
The latest node version 14.21.2 (LTS) includes this offending code:
(bash)# npm list decode-uri-component
npm@6.14.17 /home/c3/node-v14.21.2-linux-x64/lib/node_modules/npm
└─┬ query-string@6.8.2
└── decode-uri-component@0.2.0

@lukekarrys
Copy link
Contributor

lukekarrys commented Jan 21, 2023

npm@6.14.18 was released 2022-12-21 which contains decode-uri-component@0.2.2.

└─┬ npm@6.14.18
  └─┬ query-string@6.14.1
    └── decode-uri-component@0.2.2

There is an open PR to land this change in node 14 which can be followed to track the progress there: nodejs/node#45936

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@c3ivodujmovic @lukekarrys @wraithgar @darcyclarke @ruyadorno