cordova-cli icon indicating copy to clipboard operation
cordova-cli copied to clipboard
verified publisher icon apache

Insight dependency with open CVE

Open plasticlobster opened this issue 2 years ago • 1 comments

While I posted this originally in reply to a "closed, not an issue" issue from back in May, I fear it'll go unnoticed there, so I'm opening a new issue urging you to reconsider patching.

The insight dependency that may have been "just warnings" back in May now has a CVE attached to it, as the request package is no longer supported by the maintainer and will not be updated to patch its associated security issue. CVE-2023-28155

While the pacote dependency cleanup in Cordova 12.0.0 does address one path of requiring request, the other path through insight is still very much an issue.

insight also seems to be a dead project with no updates since 2021.

I have not delved into why Cordova needs insight, but it seems like now might be a good time to strip that dependency.

Originally posted by @plasticlobster in https://github.com/apache/cordova-cli/issues/610#issuecomment-1686696956

plasticlobster avatar Aug 21 '23 17:08 plasticlobster

insight is what collects telemetry data, assuming the user has opted in.

There was previous talks about stripping it already but it was ultimately decided to keep it "for now" since while it was unmaintained, it still worked with no known issues, so there wasn't a reason to strip it without any actual replacement.

Now I think we have that reason. I'll support any PR that strips out insight dependency and any usages of it.

breautek avatar Aug 21 '23 17:08 breautek