Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Semver vulnerability in yarn.lock #253

Open
EelcoLos opened this issue Jan 31, 2024 · 4 comments
Open

Semver vulnerability in yarn.lock #253

EelcoLos opened this issue Jan 31, 2024 · 4 comments

Comments

@EelcoLos
Copy link
Contributor

Describe the bug
dependency security advisory states the following multiple times (yarn audit does too):

moderate semver vulnerable to Regular Expression Denial of Service
Package semver
Patched in >=6.3.1
Dependency of jest
Path jest > jest-cli > @jest/core > @jest/reporters > istanbul-lib-instrument > @babel/core > semver
More info Advisory 1095366

To reproduce

run yarn audit

Expected behavior

To have no dependency vulnerabilities

Potential solution
When I tried to update all packages to the latest version, there were no issues. These do include major version updates though:

Package Old Version New Version
@actions/core ^1.10.0 ^1.10.1
@actions/github ^5.1.1 ^6.0.0
@semantic-release/changelog 6.0.2 6.0.3
@semantic-release/commit-analyzer 9.0.2 11.1.0
@semantic-release/github 8.0.7 9.2.6
@semantic-release/release-notes-generator 10.0.3 12.1.0
@vercel/ncc ^0.36.1 ^0.38.1
conventional-changelog-conventionalcommits 5.0.0 7.0.2
conventional-commits-parser ^3.2.4 ^5.0.0
eslint 8.36.0 8.56.0
eslint-config-molindo 6.0.0 7.0.0
jest 29.5.0 29.7.0
semantic-release ^19.0.5 ^23.0.0
@amannn
Copy link
Owner

amannn commented Feb 2, 2024

Jest is a dev-dependency that doesn't run as part of the action, but only during development (see also facebook/create-react-app#11174).

That being said, if you'd like to propose a PR that updates dependencies I'd be happy to review it!

@EelcoLos
Copy link
Contributor Author

EelcoLos commented Feb 2, 2024

Jest is a dev-dependency that doesn't run as part of the action, but only during development (see also facebook/create-react-app#11174).

That being said, if you'd like to propose a PR that updates dependencies I'd be happy to review it!

The thing is, that there'd be a lot of major versions updating. Not solely Jest. I couldn't pinpoint instantly which version is also solving the issue. And to have a lot of major versions being pushed to solve a semver version is a bit much, wouldn't you say

@amannn
Copy link
Owner

amannn commented Feb 2, 2024

Updating semver will furthermore not affect the code that runs for consumers of this action, so yes.

Updating dependencies would be good at some point, so we can leave this open in case someone is interested to look into it.

@EelcoLos
Copy link
Contributor Author

EelcoLos commented Feb 2, 2024

note for anyone who tries: updating these packages with updating to eslint-config-molindo v7.0 will break linting: https://github.com/molindo/eslint-config-molindo/blob/master/CHANGELOG.md#700

Breaking changes
eslint-config-molindo/setupPlugins has been removed, since it's no longer necessary (fixes #59)

This is however used here. And removing it will break everything regarding linting (at least at my end)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants