fis3 icon indicating copy to clipboard operation
fis3 copied to clipboard
verified publisher icon fex-team

Update packages to avoid introducing vulnerablities

Open paimon0715 opened this issue 4 years ago • 2 comments

Hi @Xiangshouding @2betop,I’d like to report several vulnerabilities

Issue

15 vulnerabilities (9 high, 4 medium and 2 low severity) are introduced in fis3.There are some examples: 1.Vulnerability npmjs-advisories-1464 (high severity) is detected in package lodash(versions:<4.17.21):https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054 2.Vulnerability CVE-2020-8203 (medium severity) is detected in package lodash(versions:<4.17.16):https://snyk.io/vuln/SNYK-JS-LODASH-567746 3.Vulnerability CVE-2016-10540 (high severity) is detected in package minimatch(versions:<3.0.2):https://snyk.io/vuln/npm:minimatch:20160620 4.Vulnerability npmjs-advisories-1179 (low severity) is detected in package minimist(versions:>=0.0.0 <0.2.1,>=1.0.0 <1.2.3):https://www.npmjs.com/advisories/1179

The above vulnerable packages are referenced by fis3 via: In [email protected].* :[email protected][email protected] [email protected][email protected][email protected] [email protected][email protected] In [email protected].* :[email protected][email protected][email protected] [email protected][email protected] In [email protected].* :In a similar way to 3.2.*

Solution

Since [email protected].* is transitively referenced by 123 downstream projects (e.g., stormrage 2.8.0 (latest version),fis3-client 1.6.352 (latest version), fep-cli 1.0.0 (latest version), atmjs 0.7.7 (latest version), pcat 2.9.2(latest version)),

[email protected].* is referenced by 2 downstream projects (fis273 1.2.3 (latest version), xiangha-fe 1.0.5 (latest version)),

[email protected].* is referenced by 2 downstream projects (fis-web-config 0.0.3 (latest version), feat-l 0.0.3 (latest version)),

If fis3 removes the vulnerabilities from the above versions, then its fixed versions can help downstream users decrease their pain.

Could you help update packages in these versions?

Fixing suggestions

(1)In [email protected].*, you can kindly try to perform the following upgrades (not crossing their major versions):

  1. lodash 4.17.5 ➔ 4.17.21;
    Note: [email protected],(>=4.17.21) has fixed the vulnerabilities(e.g.,CVE-2021-23337,CVE-2020-8203,CVE-2018-16487)

  2. glob 5.0.3 ➔ 5.0.15;
    Note: [email protected] directly depends on [email protected](a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _

  3. minimist 1.1.1 ➔ 1.2.3;
    Note: [email protected] has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179

(2)In [email protected].*, you can kindly try to perform the following upgrades (not crossing their major versions):

  1. glob 5.0.3 ➔ 5.0.15;
    Note: [email protected] directly depends on [email protected](a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _

  2. minimist 1.1.1 ➔ 1.2.3;
    Note: [email protected] has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179

(3)In [email protected].*, you can kindly try to perform the following upgrades (not crossing their major versions):

  1. glob 5.0.3 ➔ 5.0.15;
    Note: [email protected] directly depends on [email protected](a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _

  2. minimist 1.1.1 ➔ 1.2.3;
    Note: [email protected] has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179

Thanks for your contributions to the npm ecosystem!

Best regards, Paimon

paimon0715 avatar Jul 08 '21 03:07 paimon0715

Thanks

oxUnd avatar Aug 12 '21 07:08 oxUnd

@xiangshouding Thanks for your understanding and help.

paimon0715 avatar Aug 12 '21 07:08 paimon0715