Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fix] npm audit reporting high severity vulnerability with @koa/router 13.0.0 #186

Closed
cduff opened this issue Sep 10, 2024 · 15 comments · Fixed by #187
Closed

[fix] npm audit reporting high severity vulnerability with @koa/router 13.0.0 #186

cduff opened this issue Sep 10, 2024 · 15 comments · Fixed by #187
Assignees
Labels
bug Something isn't working

Comments

@cduff
Copy link

cduff commented Sep 10, 2024

Steps to reproduce

$ npm i @koa/router

added 9 packages in 429ms

$ npm audit
# npm audit report

path-to-regexp  0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
No fix available
node_modules/path-to-regexp
  @koa/router  *
  Depends on vulnerable versions of path-to-regexp
  node_modules/@koa/router

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Solution

Fix by upgrading @koa/router to depend on later version of path-to-regexp?

@ManojKeer
Copy link

Facing the same issue since yesterday. koa-router(12.0.1) is using path-to-regexp of version 6.2.1. I am getting build errors to upgrade the path-to-regexp to latest. How to fix this issue? Will koa-router publish a latest version with patched path-to-regexp version?

@iambumblehead
Copy link

@iambumblehead
Copy link

related pillarjs/path-to-regexp#324

@iambumblehead
Copy link

locally incrementing to 6.3.0 does not satisfy the warning

path-to-regexp  4.0.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/path-to-regexp

@mschfh
Copy link
Contributor

mschfh commented Sep 12, 2024

locally incrementing to 6.3.0 does not satisfy the warning

The advisory wasn't updated yet to include the 6.x patched version: GHSA-9wv6-86v2-598j

mschfh added a commit to mschfh/router that referenced this issue Sep 12, 2024
mschfh added a commit to mschfh/router that referenced this issue Sep 12, 2024
mschfh added a commit to mschfh/router that referenced this issue Sep 12, 2024
@moez-qlik
Copy link

Leaving this bug unfixed could potentially break our projects that rely on Koa Router.
#185

@panva
Copy link
Contributor

panva commented Sep 12, 2024

Leaving this bug unfixed could potentially break our projects that rely on Koa Router. #185

That's unrelated to the path-to-regexp CVE. path-to-regexp 6.3.0 was released with the fix backport. Meaning that the router is no longer vulnerable. The advisory has not been updated yet to reflect the fixed version.

@3imed-jaberi
Copy link
Member

3imed-jaberi commented Sep 12, 2024

Thank you @mschfh for your contribution by bumping path-to-regexp dependency to v6.3.0. It should fix the vulnerability (+1 @panva).

@titanism could you please publish the next release v13.1.0 with latest commit on the master branch. And please publish v12.0.2 from this branch (v12.0.2) to prevent @moez-qlik marked issue here and the potential issue related to path params.

@moez-qlik, if really it's a block for your project, you can use patch-package and patch koa router with [email protected].

I will try to find a slot to work on #185!

@titanism
Copy link
Contributor

I also merged #189

@titanism
Copy link
Contributor

@moez-qlik
Copy link

@titanism can you release the Vulnerablity fix on v12.0.2?

@3imed-jaberi
Copy link
Member

I apologize for the delayed response. Merging PR #189 is a significant change that requires a major version bump (v14), making it a risky step. That’s why I didn’t merge it upon review and have assigned myself to the review process.

Additionally, I think we should stick with [email protected] until we can ensure that v8 doesn't introduce any unexpected issues with the current implementation. We should also update the documentation to reflect any new behavior.

To move forward, I propose the following steps:

  1. Move the current master code to a pre-release branch for v14.
  2. Revert or remove all commits related to path-to-regex@8+ on master branch.
  3. Publish the next minor or patch release (v13.1.0 or v13.0.2) based on this cleanup.
  4. Publish the v12.0.2.
  5. Deprecate the current v13.0.1 on npm

Please @titanism DM on our space 😉!

@3imed-jaberi
Copy link
Member

@moez-qlik I working with @titanism to deliver the correct version and soon will find it. In the meanwhile, you can try the patch-package in my comment here.

@3imed-jaberi
Copy link
Member

@moez-qlik v12.0.2 published 🎉!

3imed-jaberi pushed a commit that referenced this issue Sep 17, 2024
@moez-qlik
Copy link

@moez-qlik v12.0.2 published 🎉!

thank you @3imed-jaberi <3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants