ember-svg-jar icon indicating copy to clipboard operation
ember-svg-jar copied to clipboard

Published 20 hours ago β€’ verified publisher icon evoactivity

posibility of a 2.3.4 release with less strict cheerio version dependency

Open evansrobert opened this issue 3 years ago β€’ 4 comments

Hi, @jherdman @ivanvotti, I'd like to report a vulnerability introduced by package css-what:

Issue Description

I noticed that a vulnerability is introduced in [email protected]: Vulnerability CVE-2021-33587 affects package css-what (versions:<5.0.1): https://snyk.io/vuln/SNYK-JS-CSSWHAT-1298035 The above vulnerable package is referenced by [email protected] via: [email protected] βž” [email protected] βž” [email protected] βž” [email protected]

Since [email protected] (26,294 downloads per week) is referenced by 25 downstream projects (e.g., ember-cli-addon-docs 3.0.0 (latest version), @freshworks/button 0.18.0 (latest version), @freshworks/icon 0.20.0 (latest version), @freshworks/toast-message 0.18.0 (latest version), @hashicorp/pds-ember 0.6.2 (latest version)), the vulnerability CVE-2021-33587 can be propagated into these downstream projects and expose security threats to them via the following package dependency paths: (1)@cardstack/[email protected] βž” [email protected] βž” [email protected] βž” [email protected] βž” [email protected] (2)@ember-eui/[email protected] βž” @ember-eui/[email protected] βž” [email protected] βž” [email protected] βž” [email protected] βž” [email protected] ......

If [email protected].* removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.

Given the large number of downstream users, could you help update your package to remove the vulnerability from [email protected] ?

Fixing suggestions

In [email protected], maybe you can kindly try to perform the following upgrade : cheerio ^0.22.0 βž” ^1.0.0-rc.4;

Note: [email protected](>=1.0.0-rc.4) doesn’t depends on css-what any more.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.

Best regards, ^_^

evansrobert avatar Aug 14 '21 14:08 evansrobert

Hi @evansrobert. I'm sure we can do something here. Are you interested in opening a PR that does the work to upgrade the dependency?

jherdman avatar Aug 14 '21 17:08 jherdman

@jherdman Thanks.

evansrobert avatar Aug 16 '21 03:08 evansrobert

Hi @jherdman, is there an expected timeline for merging in the dependency update to resolve this issue? Thanks!

grantyang avatar Nov 30 '21 00:11 grantyang

Hi @grantyang . I've poked a bit at trying to resolve this, but I've ran into some difficulties coming to the solution and finding the time to implement it. The timeline is more or less "some day, hopefully soon."

A pull request would be greatly appreciated if anyone has the time and interest.

I confess that I'm not really thrilled at the idea of adopting a modern version of cheerio when it's been in beta for months on end and seems to have been stalled out. I'd love to see an alternative adopted that is much more stable, though I haven't identified one at this time.

jherdman avatar Nov 30 '21 14:11 jherdman

Resolved by #228

jherdman avatar Sep 16 '22 20:09 jherdman