netmask package issue

[dalisoft]

Chore summary
See

• GHSA-pch5-whg9-qr2r
• https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/

Log

❯ yarn why netmask
yarn why v1.22.10
[1/4] 🤔  Why do we have the module "netmask"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#smartlint#@stoplight#spectral#proxy-agent#pac-proxy-agent#pac-resolver" depends on it
   - Hoisted from "_project_#smartlint#@stoplight#spectral#proxy-agent#pac-proxy-agent#pac-resolver#netmask"
info Disk size without dependencies: "60KB"
info Disk size with unique dependencies: "60KB"
info Disk size with transitive dependencies: "60KB"
info Number of shared dependencies: 0
✨  Done in 0.53s.

[roubles]

The relevant defect on pac-resolver is: TooTallNate/node-pac-resolver#26

There is a PR out on pac-resolver with netmask updated: TooTallNate/node-pac-resolver#25

[andrewsomething]

New node-pac-resolver release: https://github.com/TooTallNate/node-pac-resolver/releases/tag/4.2.0

[dshiledarc1]

Hi @roubles @P0lip Can we publish to npm registry bit more frequently? Especially these vulnerabilities fixes, sometime shutdown the library usage, in stringent environments. Thanks.

[cmdcarini]

This security vulnerability is already patched with the proxy-agent update to 4.0.1.

We need this patch pushed ASAP, a quick 5.9.1 would be greatly appreciated. I'd be happy to fork off the v5.9.0 tag if some of the changes in the develop branch are not ready

[dshiledarc1]

Hi Folks - @P0lip @jharmn @domagojk @mpodlasin @mnaumanali94 @marcelltoth I am checking on https://www.npmjs.com/package/@stoplight/spectral for availability of the new release that will address this security issue. Please publish to help get past the enterprise vulnerability checks. Thanks.

[dshiledarc1]

@falsaffa @ksoviero-stoplight, I see stoplight in your username, hoping for a response from Stoplight team on the prompt publishing of the version. Thanks.

[P0lip]

We already use newer proxy-agent (not released yet, though, I'll make a release in a few mins), but it still does not require the latest patched netmask -> https://github.com/TooTallNate/node-proxy-agent/blob/master/package.json#L37 (note, it still requires >= 4.1.0, and not the patched 4.2.0), therefore even if we release Spectral 5.9.1 this one won't be solved if you have an older version of pac-proxy-agent in your npm/yarn cache.
However, since a range of packages is accepted, you can try to clear npm/yarn cache and then perform an installation of Spectral 5.9.1 (when it's out). It should pick up the most recent version of pac-proxy-agent and hence netmask.

[dshiledarc1]

@P0lip Thank you for the prompt action, will wait for 5.9.1 to show up.

[P0lip]

5.9.1 is already out, therefore you should be able to use it.