schema-tools icon indicating copy to clipboard operation
schema-tools copied to clipboard

Published 20 hours ago verified publisher icon cypress-io

Dependency `@bahmutov/is-my-json-valid` contains vulnerable sub-dependency - `[email protected]` - and is outdated

Open akaustav opened this issue 3 years ago • 0 comments

Hi @bahmutov / maintainers,

Summary

The @bahmutov/is-my-json-valid dependency of this repository contains (at least) one vulnerable sub-dependency - [email protected]. See this advisory about CVE-2021-23807 in the GitHub Advisory Database for details about the vulnerability.

My research so far

  1. This repository contains a dependency named @bahmutov/is-my-json-valid.

    https://github.com/cypress-io/schema-tools/blob/b0d1a36912e399864aa563d96c7638211e56d898/package.json#L34

  2. The code for this dependency is hosted on this GitHub repository.

  3. Upon closer inspection, I found that the GitHub repository at bahmutov/is-my-json-valid was forked from the GitHub repository at mafintosh/is-my-json-valid (that has been published to the npm registry at is-my-json-valid) around April, 2018.

  4. As of today (Wednesday, March 23, 2022), the master branch of the forked repository bahmutov/is-my-json-valid is 2 commits ahead and 43 commits behind the master branch of it's base repository - mafintosh/is-my-json-valid. There is even an open Pull Request to merge the changes from these 2 commits into the base repository - https://github.com/mafintosh/is-my-json-valid/pull/161.

  5. Meanwhile, both mafintosh/is-my-json-valid and consequently bahmutov/is-my-json-valid employ another sub-dependency - jsonpointer.

    1. In bahmutov/is-my-json-valid - see line 10 of package.json.

    2. In mafintosh/is-my-json-valid - see line 19 of package.json.

  6. A Moderate security vulnerability was found in [email protected]. The vulnerability has been documented at CVE-2021-23807 for details.

  7. The maintainer(s) of the node-jsonpointer repository fixed this issue via https://github.com/janl/node-jsonpointer/pull/51. And later published a new major version - [email protected].

  8. After this, the maintainer(s) of mafintosh/is-my-json-valid upgraded to [email protected] via https://github.com/mafintosh/is-my-json-valid/pull/188.

  9. However, the forked repository - bahmutov/is-my-json-valid - has not been kept up to date with these new commits.

  10. Hence, every cypress repository employing any versions of the @cypress/schema-tools plugin until v4.7.9 inherit the same security vulnerability - CVE-2021-23807 - incoming from [email protected].

Please assist in fixing / patching this security vulnerability. Or provide any suggestions about what users of this plugin should be doing in the interim.

NOTE: Technically, this issue belongs in https://github.com/bahmutov/is-my-json-valid repository. But that repository does NOT allow me to open an Issue (I don't see the "Issues" tab at the top). So, I am opening this issue here.

akaustav avatar Mar 23 '22 17:03 akaustav