Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to check-links@^2.0.0? #43

Closed
karlhorky opened this issue Nov 8, 2022 · 4 comments · Fixed by #44
Closed

Upgrade to check-links@^2.0.0? #43

karlhorky opened this issue Nov 8, 2022 · 4 comments · Fixed by #44

Comments

@karlhorky
Copy link
Contributor

karlhorky commented Nov 8, 2022
edited
Loading

Hi @davidtheclark @ChristianMurphy @transitive-bullshit, thanks for this remark-lint plugin, very useful!

Would you be open to upgrading to check-links@^2.0.0?

It addresses a security vulnerability in the transitive dependency got:
@transitive-bullshit
Copy link
Contributor

Note: this would be a major version bump. Also, check-links now uses ESM instead of commonjs.

@ChristianMurphy ChristianMurphy mentioned this issue Nov 8, 2022
Merged
5 tasks
@karlhorky
Copy link
Contributor Author

karlhorky commented Mar 12, 2023
edited
Loading

@ChristianMurphy Thanks for #44, great that it got merged!

As for a release that we can expect this in, I'm guessing this will come out in a new release remark-lint-no-dead-urls@2.0.0 in the next days/weeks.

@ChristianMurphy
Copy link
Member

ChristianMurphy commented Mar 12, 2023
edited
Loading

Hey @karlhorky! 👋
Yes, the next release will be a major release (2.0.0).
The release will likely be in a few weeks rather than days.
There are more changes planned, updating the docs and types.

In the meantime, I assume your concern centers around what risk this poses.
Most likely little to none, see https://overreacted.io/npm-audit-broken-by-design/

For this to be "exploited" through remark-lint-no-dead-urls, the bad actor would need to be able to run the linter, meaning they already have executible access to a live terminal.
In which case they could already access Unix sockets directly.
Saying that attacker could access something they already have access to, in a more cumbersome and round about way, isn't really an "exploit" or "security vulnerability".

I continue to hope npm audit, snyk, and other security auditing tools; will offer maintainers more and better tools to articulate the actual risk level posed by transitive dependencies.

@karlhorky
Copy link
Contributor Author

I assume your concern centers around what risk this poses

Ah no, not super concerned or eager to see this get released - just mainly communicating about the version number for posterity / bookkeeping, in case anyone also runs into this, comes to this issue and wants to upgrade to the correct version - I find that it's nice to have the version in the discussion thread, and happy to be the one to post that :)

I continue to hope npm audit, snyk, and other security auditing tools; will offer maintainers more and better tools to articulate the actual risk level posed by transitive dependencies.

Yeah, would be amazing to get better tooling around this, eg. more mainstream tools to do static analysis on what code path / which vulnerable code is used where: https://twitter.com/karlhorky/status/1412401098376290308

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat!: move to ESM, generated typescript types from JSDoc ChristianMurphy/remark-lint-no-dead-urls
3 participants
@transitive-bullshit @karlhorky @ChristianMurphy