Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

@vitest/expect vulnerable to CVE-2023-43646 #4194

Closed
6 tasks done
BreakBB opened this issue Sep 28, 2023 · 5 comments · Fixed by #4195
Closed
6 tasks done

@vitest/expect vulnerable to CVE-2023-43646 #4194

BreakBB opened this issue Sep 28, 2023 · 5 comments · Fixed by #4195

Comments

@BreakBB
Copy link
Contributor

BreakBB commented Sep 28, 2023

Describe the bug

@vitest/expect holds a dependency to chai, which included a version of get-func-name vulnerable to CVE-2023-43646.

"chai": "^4.3.7"

An fix was already pushed in get-func-name: chaijs/get-func-name@f934b22

and chai: chaijs/chai#1539

As soon as a new chai version is published, it should be included in vitest/expect.

Reproduction

System Info

-

Used Package Manager

npm

Validations

@keithamus
Copy link

https://github.com/chaijs/chai/releases/tag/v4.3.10

BreakBB added a commit to BreakBB/vitest that referenced this issue Sep 28, 2023
@AriPerkkio
Copy link
Member

AriPerkkio commented Sep 28, 2023

@BreakBB as this is just a patch version release you should be able to update chai's version by updating your package manager's lockfile. There's no need to update all dependents of chai manually.

@BreakBB
Copy link
Contributor Author

BreakBB commented Sep 28, 2023

Yes @AriPerkkio you are absolutely right, thanks for pointing it out 👍🏻 It doesn't hurt though 😬

@webJose
Copy link

webJose commented Sep 28, 2023

Guys, pardon my ignorance. I too came here about this vulnerability. I see vitest also listing chai-subset, and this package suffers from this too, with the aggravated that seems completely abandoned. At least it is what I think. I am no expert in this kind of thing. Kindly correct me if I'm mistaken.

@keithamus
Copy link

You're really unlikely to hit the issue, you'd need to be running tests on an old browser (like IE or PhantomJS) and have very large function names, which would cause your test suite to hang. Running npm audit fix would fixup your package-lock to ensure you're using the fixed version, and you can run npm ls get-func-name and confirm that you're using 2.0.2 which is the patched version.

@github-actions github-actions bot locked and limited conversation to collaborators Oct 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants