beemo icon indicating copy to clipboard operation
beemo copied to clipboard

Published 20 hours ago • verified publisher icon beemojs

release patch for @beemo/core 1.1.x with updated dependency hygen

Open evansrobert opened this issue 3 years ago • 1 comments

Hi, @milesj,

Issue Description

When I build my project, I notice that a vulnerability SNYK-JS-EJS-1049328 detected in package ejs<3.1.6 is transitively referenced by @beemo/[email protected]. However, @beemo/[email protected] is so popular that a large number of latest versions of active and popular downstream projects depend on it (712 downloads per week and about 81 downstream projects, e.g., @oriflame/lumos 3.1.68, @rajzik/lumos 6.0.13, @rajzik/config-eslint 4.2.6, @oriflame/config-eslint 3.3.19, @oriflame/config-webpack 3.2.39, etc.). In this case, the vulnerability SNYK-JS-EJS-1049328 can be propagated into these downstream projects and expose security threats to them. As you can see, @beemo/[email protected] is introduced into the above projects via the following package dependency paths: (1)@aydink/[email protected] âž” @airbnb/[email protected] âž” @airbnb/[email protected] âž” @beemo/[email protected] âž” [email protected] âž” [email protected] ......

I know that it's kind of you to have removed the vulnerability since @beemo/[email protected]. But, in fact, the above large amount of downstream projects cannot easily upgrade @beemo/core from version 1.1.8 to (>=2.0.0-rc.0): The projects such as @airbnb/nimbus-common, which introduced @beemo/[email protected], are not maintained anymore. These unmaintained packages can neither upgrade @beemo/core nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package @beemo/[email protected]?

Suggested Solution

Since these inactive projects set a version constaint 1.1.* for @beemo/core on the above vulnerable dependency paths, if @beemo/core removes the vulnerability from 1.1.8 and releases a new patched version @beemo/[email protected], such a vulnerability patch can be automatically propagated into the downstream projects.

In @beemo/[email protected], maybe you can try to perform the following upgrade: hygen ^5.0.3 âž” ^6.0.0;
Note: [email protected](>=6.0.0) directly depends on [email protected] which has fixed the vulnerability SNYK-JS-EJS-1049328.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.

Best regards, ^_^

evansrobert avatar Aug 19 '21 07:08 evansrobert

@evansrobert Can a yarn resolution for ejs be used here?

In a somewhat related note, I built and maintained Nimbus while I was at Airbnb. Since then, I went ahead and built https://github.com/beemojs/dev, which is very similar to Nimbus. If you're ever looking to migrate away from Nimbus, I would suggest that.

milesj avatar Aug 19 '21 17:08 milesj