Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could you help remove the high severity vulnerability introduced by ajv? #665

Open
vincentsum777 opened this issue Aug 1, 2021 · 2 comments
Open

Could you help remove the high severity vulnerability introduced by ajv? #665

vincentsum777 opened this issue Aug 1, 2021 · 2 comments

Comments

@vincentsum777
Copy link

vincentsum777 commented Aug 1, 2021
edited
Loading

Hi, @leo, I stumbled upon a high severity vulnerability introduced by package ajv@6.5.3:

Issue Description

I noticed that serve@11.3.2 directly depends on ajv@6.5.3 by accident. However, the vulnerability CVE-2020-15366 is detected in package ajv<6.12.3.
As you can see, serve@11.3.2 is so popular that a large number of projects depend on it (203,658 downloads per week and about 271 downstream projects, e.g., react-static 7.5.3, father 2.30.6, landr 6.18.0, sisa 4.4.0, @anyfin/ui 5.4.35, etc.).
In this case, the vulnerability CVE-2020-15366 can be propagated into these downstream projects and expose security threats to them.
As far as I know, serve@11.3.2 is introduced into the above projects via the following package dependency paths:
(1)h5-webview@2.0.15 ➔ umi-library@1.6.0 ➔ docz@1.1.0 ➔ docz-core@1.2.0 ➔ serve@11.3.2 ➔ ajv@6.5.3
......

I know that it's kind of you to have removed the vulnerability since serve@12.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade serve from version 11.3.2 to (>=12.0.0):
The projects such as umi-library, which introduced serve@11.3.2, are not maintained anymore. These unmaintained packages can neither upgrade serve nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package serve@11.3.2?

Suggested Solution

As you know, Since these inactive projects set a version constaint 11.3.* for serve on the above vulnerable dependency paths, if serve removes the vulnerability from 11.3.2 and releases a new patched version serve@11.3.3, such a vulnerability patch can be automatically propagated into the downstream projects.

The simplest way to remove the vulnerability is to perform the following upgrade in serve@11.3.3(not crossing major version):
ajv 6.5.3 ➔ 6.12.3;
Note:
ajv@6.12.3(>=6.12.3) has fixed the vulnerability (CVE-2020-15366).
If you have any other ways to resolve the issue, you are welcome to share with me.

Thank you for your help.^_^
@gcoelho
Copy link

gcoelho commented Sep 28, 2021

FYI, I guess this issue was fixed by #635 and included on release 12.0.0 (https://github.com/vercel/serve/releases/tag/12.0.0). This issue is similar to #633 too.

@leo
Copy link
Contributor

leo commented Sep 28, 2021

Was it? Or should we publish a patch release for a smaller major?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gcoelho @leo @vincentsum777