snapdragon icon indicating copy to clipboard operation
snapdragon copied to clipboard
verified publisher icon here-be

source-map-resolve is deprecated and vulnerable

Open elcreator opened this issue 3 years ago • 2 comments

https://github.com/lydell/source-map-resolve is deprecated now and contains vulnerable decode-uri-component dependency https://github.com/advisories/GHSA-w573-4hg7-7wgq

elcreator avatar Nov 29 '22 11:11 elcreator

CVE-2022-38900: I created a PR for source-map-resolve to fix this security issue and and the maintainer refused to apply it:

But – anyway. I find it boring to use my free time to do things with this deprecated package that I don’t like. It might be easy to fix this thing, but in a couple of months there will be some other vulnerability in some other dependency and the cycle repeats. Or someone finds a vulnerability in source-map-resolve itself. Not fun.

So I have a replacement module that resolves the problem https://github.com/jesii/source-map-resolve. It updates decode-uri-component which is where the security issue, using v0.2.2 instead of the vulnerable v0.2.0.

JESii avatar Nov 03 '23 17:11 JESii

So I have a replacement module that resolves the problem https://github.com/jesii/source-map-resolve. It updates decode-uri-component which is where the security issue, using v0.2.2 instead of the vulnerable v0.2.0.

@jonschlinkert could you consider implementing this, or even replace/remove source-map-resolve ?

sebastien46 avatar Dec 02 '23 00:12 sebastien46