Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cpy has transitive dependencies with a CVE vulnerability #98

Closed
isuftin opened this issue Nov 19, 2021 · 7 comments
Closed

cpy has transitive dependencies with a CVE vulnerability #98

isuftin opened this issue Nov 19, 2021 · 7 comments

Comments

@isuftin
Copy link

isuftin commented Nov 19, 2021

cpy depends on globby @ ^12.0.2. Following the dependency chain, this also pulls in globby @ 9.2.0. That version of globby depends on fast-glob which depends on glob-parent at a specific version with a vulnerability.

| +-- globby@9.2.0
| | +-- @types/glob@7.2.0
| | | +-- @types/minimatch@3.0.5
| | | `-- @types/node@16.11.9
| | +-- array-union@1.0.2
| | | `-- array-uniq@1.0.3
| | +-- dir-glob@2.2.2
| | | `-- path-type@3.0.0
| | |   `-- pify@3.0.0
| | +-- fast-glob@2.2.7
| | | +-- @mrmlnc/readdir-enhanced@2.2.1
| | | | +-- call-me-maybe@1.0.1
| | | | `-- glob-to-regexp@0.3.0
| | | +-- @nodelib/fs.stat@1.1.3
| | | +-- glob-parent@3.1.0 <---
| | | | +-- is-glob@3.1.0
| | | | | `-- is-extglob@2.1.1 deduped
| | | | `-- path-dirname@1.0.2

+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| glob-parent | CVE-2020-28469   | HIGH     | 3.1.0             | 5.1.2         | nodejs-glob-parent: Regular           |
|             |                  |          |                   |               | expression denial of service          |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28469 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+

The latest version of globby has a dependency tree which does pull in a fixed version of glob-parent.
@jj05y
Copy link

jj05y commented Nov 22, 2021

@SimonSiefke - can this be bumped?

@iiLearner
Copy link

is there any update on this? we have dependabot alerts with high severity.

@mheob mheob mentioned this issue Dec 3, 2021
Closed
@mheob
Copy link

mheob commented Dec 3, 2021

@sindresorhus
The updated dependencies are already included in the project. Is anything still blocking the release of a new version? Can we help in any way?

@sindresorhus
Copy link
Owner

It's blocked by #92

@iiLearner iiLearner mentioned this issue Dec 14, 2021
Merged
@brendankenny brendankenny mentioned this issue Jan 4, 2022
Merged
@ryami333
Copy link

@sindresorhus is it actually truly blocked by that PR - or does that PR just happen to address the issue, amongst other things? Wondering because that PR seems to have stalled, and this remains a "high severity" CVE alert, months on. It either needs a new champion, or for the transitive dependency aspects to be cherry-picked.

@rchisholm
Copy link

any update on this? it's the only vulnerability we have for several months

@bbenoist bbenoist mentioned this issue Feb 25, 2022
Merged
@sindresorhus
Copy link
Owner

https://github.com/sindresorhus/cpy/releases/tag/v9.0.0

@adelrodriguez adelrodriguez mentioned this issue Jan 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@sindresorhus @isuftin @mheob @jj05y @ryami333 @iiLearner @rchisholm