Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for CVE-2022-25883 #136

Merged
merged 2 commits into from
Jun 23, 2023
Merged

Fix for CVE-2022-25883 #136

merged 2 commits into from
Jun 23, 2023

Conversation

frankhinek
Copy link
Contributor

This PR is primarily to address:

  • CVE-2022-25883 - semver vulnerable to Regular Expression Denial of Service

which surfaced in this PR.

npm audit fix proposed solution is to downgrade to c8 v5.0.2 released on June 23, 2019:

❯ npm audit
# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/make-dir/node_modules/semver
node_modules/semver
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/make-dir
    istanbul-lib-report  >=2.0.5
    Depends on vulnerable versions of make-dir
    node_modules/istanbul-lib-report
      c8  >=5.0.3
      Depends on vulnerable versions of istanbul-lib-report
      Depends on vulnerable versions of istanbul-reports
      node_modules/c8
      istanbul-reports  >=3.0.0-alpha.0
      Depends on vulnerable versions of istanbul-lib-report
      node_modules/istanbul-reports

5 moderate severity vulnerabilities

An attempt was made to manually override the version of semver to v7.5.3 which fixes the vulnerability but due to apparent bugs in npm's overrides feature, it ignores the specified overrides. Over a dozen additional permutations were attempted to override the c8 dependencies that introduce this vulnerability (instanbul-lib-report, make-dir), but those overrides were ignored by npm as well. While not this specific issue, there are multiple reported bugs (4942, 4834, 5850) with NPM's overrides feature which have not been addressed in over a year.

Given that the issue will continue to block future PRs due to the failing security audit and lack of certainty about when NPM overrides will work properly, the workaround was to patch package-lock.json until new versions of the c8 and instanbul-lib-report are published. The semver and make-dir projects were patched in the past 48 hours.

Issue #135 was created to track when we can stop manually patching package-lock.json.

This PR also opportunistically improves the ESLint rules for switch to indent case: statements

@frankhinek frankhinek self-assigned this Jun 23, 2023
@frankhinek frankhinek added the security Security issue label Jun 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Security issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants