next-offline icon indicating copy to clipboard operation
next-offline copied to clipboard

Published 20 hours ago verified publisher icon hanford

CVE-2020-28469 high vulnerability

Open scoobster17 opened this issue 3 years ago • 8 comments

Hello, this package is flagging up a high severity vulnerability due to [email protected] being a dependency, which is itself using [email protected].

+----------------+----------+------+-------------+-----------+------------------------------+------------+------------+------------+----------------------------------------------------+-------------------+
|      CVE       | SEVERITY | CVSS |   PACKAGE   |  VERSION  |            STATUS            | PUBLISHED  | DISCOVERED | GRACE DAYS |                    DESCRIPTION                     | TRIGGERED FAILURE |
+----------------+----------+------+-------------+-----------+------------------------------+------------+------------+------------+----------------------------------------------------+-------------------+
| CVE-2020-28469 | high     | 0.00 | glob-parent | 3.1.0     | fixed in 5.1.2               | 85 days    | < 1 hour   | -84        | no description is available for this cve.          | Yes               |
+----------------+----------+------+-------------+-----------+------------------------------+------------+------------+------------+----------------------------------------------------+-------------------+

Upgrading to [email protected], or higher seems like it will fix the issue, or at least allow npm update glob-parent to be applied to repositories that use this package, as those versions of copy-webpack-plugin technically use ^5.1.1, whereas the fix is in v5.1.2.

scoobster17 avatar Apr 07 '21 13:04 scoobster17

I'd accept a PR fixing this @scoobster17!

hanford avatar Apr 07 '21 22:04 hanford

I had to revert this, it broke several personal projects of mine that use next-offline:

image

hanford avatar Apr 13 '21 16:04 hanford

Ahh, I didn't see any globs in the file I edited, but there was a breaking change for handling globs in copy-webpack-plugin@6 too as per the release notes. Try this? Not sure if you'll have to make further changes to next-offline or your specific project(s).

https://github.com/webpack-contrib/copy-webpack-plugin/releases/tag/v6.0.0

scoobster17 avatar Apr 13 '21 16:04 scoobster17

Any luck with the globs/progressing this issue?

scoobster17 avatar Apr 26 '21 12:04 scoobster17

@scoobster17 I haven't looked at it, I've been on vacation the last couple of weeks.

If you want to take a stab at it, I could review a PR and could release a prerelease version of next-offline so we can both verify it's working before releasing in a stable version

hanford avatar Apr 27 '21 20:04 hanford

@hanford hope you had a nice break.

From your error message, the problem seems it might be with this line. Perhaps this path has changed? At this point I feel you are best suited to investigate this issue, I'm a bit clueless as to how to fix this.

scoobster17 avatar Apr 28 '21 09:04 scoobster17

Any update regarding this issue?

jfaylon avatar Oct 25 '21 10:10 jfaylon

Hi, an audit at our worksite has flagged this same CVE, CVE-2020-28469. We are very grateful for what next-offline has provided to us and still provides, but we need to provide a response to the business regarding the potential of a fixed (we do not not need to provide an ETA for now, I think they just want to know we are acting on it, when we can).

Question: Is this project still maintained? ​Sorry to ask very directly. We tried a few PWA frameworks for nextjs back in the day, and this was our favorite by far as it was easy getting started with. :)

opolo avatar Nov 08 '21 21:11 opolo