fireworm icon indicating copy to clipboard operation
fireworm copied to clipboard

Published 20 hours ago verified publisher icon airportyh

Upgrade package "async" to fix CVE

Open Frank3K opened this issue 2 years ago • 3 comments

Package async has a CVE in versions < 3.2.2: GHSA-fwr7-v2mv-hh25.

fireworm currently has a dependency on ~0.2.9:

https://github.com/airportyh/fireworm/blob/ec1a5025305558bb6e0e07750da9d44961415eb2/package.json#L32

In order to fix the CVE the dependency should be upgraded.

Frank3K avatar Apr 13 '22 08:04 Frank3K

Using yarn resolutions to fix this issue does not work, since the async API appears to have changed between 0.2.x and the minimum patched version (2.6.3).

0.2.9 was released in 2013, and the most recent 0.2.x in 2014. I think it is time to revisit this dependency.

oliverlangan avatar Apr 20 '22 21:04 oliverlangan

@Frank3K, @oliverlangan have you found a workaround for this CVE issue ?

We also spotted the problem on our side since we use ember-cli, which uses testem, which uses fireworm and we would like to solve this vulnerability.

rnuyts avatar Nov 04 '22 08:11 rnuyts

@rnuyts I attemptedto replace fireworm with sane (an alternative file watcher) in testem to resolve this.

PR in my fork here: gilest/testem/pull/1

From memory it was stable on Linux but had to use polling to watch on Mac OS and the CI was not passing on Mac or Windows.

Would be grateful if someone picks it up.

gilest avatar Nov 04 '22 09:11 gilest