question: Is everything alright with class-validator vulnerabilities checks?

[talesmgodois]

Hi everyone, Today a critical vulnerability has shown on our CI/CD

SO I entered the link provided, GHSA-fj58-h2fr-3pp2, to me and saw the following:

My question is, should I get this error when I am using version 0.13.1? Shouldn't be only for version <= 0.10.2??

Idk how these vulnerabilities are marked, but, is there any possibility that this was marked wrong to use <=10.2 instead of <=0.10.2 as it should?

[dantehemerson]

Same here, I'm using [email protected] and I'm getting the next critical serverity vulnerability on Github

[tofikabdullayev]

Same

[szygendab]

Same error here even if using v 0.13.1

[iordanivanov]

Same here

[StefanZivkovic]

In order to unblock us we removed npm audit command from our CI builds. I guess this is just a temporary.

[talesmgodois]

Yeah, disabling it is the first thing to do in this situation,

I found this library that solves partially of what we need:
https://www.npmjs.com/package/better-npm-audit

[SDemonUA]

@talesmgodois there is wonderful https://www.npmjs.com/package/audit-ci it can be configured with whitelists of packages, issues...

[nternouski]

Same here with the last version (0.13.1)

[nandastone]

The advisory contains a typo:

If using https://www.npmjs.com/package/audit-ci, you can upgrade the package then whitelist it via the allowlist option.

[joebowbeer]

https://github.com/naugtur/npm-audit-resolver

[joebowbeer]

The entry has been updated to 0.13.1 but class-validator is still missing a fix:

GHSA-fj58-h2fr-3pp2 has been updated so that it now has a vulnerable version range of <= 0.13.1. 0.13.1 is the latest version of the package. Given a fix for the issue has not yet been made I believe this is the correct version range. If the developer does release a fix in 0.14.0 or a different version we will update the advisory again to include that fix version.

I also lowered the severity to moderate given that there is a workaround, and some debate in the issue about how serious the vulnerability is.

To explain how the data was published with a mistake, there is a manual process involved in going from a CVE to a GHSA and a human error was made in that process. We do have plans to improve the validations to check against actual versions. This case will be useful to illustrate the importance of that change.

We also have a feature that should launch in the next few months where a community member can suggest edits to GHSAs directly from the advisory page. That should make it easier to get mistakes like these fixed.

[talesmgodois]

Nice, @joebowbeer DO you have the url source of this quote?

[joebowbeer]

The quote is from private correspondence with Rob Schultheis.

He wrote:

If you see any other problems with this advisory or others, please don't hesitate to email [email protected].

[talesmgodois]

Oh ok, gotcha. I thought it would be in some github or other public community.

anyway, the purpose of the issue was the mislabel and confusion, thanks for your help folks.
Closing it now, Thanks everyone for your help o/

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.