simple-hl7 icon indicating copy to clipboard operation
simple-hl7 copied to clipboard
verified publisher icon hitgeek

A high severity vulnerability introduced in simple-hl7

Open ayaka-kms opened this issue 4 years ago • 5 comments

Hi, a vulnerability https://snyk.io/vuln/SNYK-JS-MERGE-1040469 is introduced in simple-hl7 via: ● [email protected][email protected][email protected][email protected]

However, watch is a legacy package, which has not been maintained for about 4 years. Is it possible to migrate watch to other package or remove it to remediate this vulnerability?

I noticed a migration record in other js repo for watch:

● in @google/clasp, version 2.3.2 ➔ 2.4.0, Migrate from watch to chokidar via commit ● in forever-monitor, version 1.5.2 ➔ 1.6.0, Migrate from watch to chokidar via commit

Are there any efforts planned that would remediate this vulnerability or migrate watch?

Thanks ; )

ayaka-kms avatar Aug 24 '21 13:08 ayaka-kms

Created a PR: https://github.com/hitgeek/simple-hl7/pull/70

jssuttles avatar Dec 17 '21 23:12 jssuttles

Hi there, is there any update on this issue? or on open pull requests #70 and #71?

Phlegz avatar May 18 '22 10:05 Phlegz

i'll take another look at #70 .

I'm not aware of any mechanism that this vulnerability could be exploited via this library, so I don't see an urgent need to make any change to this existing version, and I am hesitant to add a new dependency that I have never used and don't really want to maintain if there is an issue.

version 4 does not use watch and is availible in beta on NPM via npm install simple-hl7@next if this "vulnerability" is a problem.

hitgeek avatar May 18 '22 16:05 hitgeek

Hi there,

first i'd like to say thanks for this usefull project!

i'm currently using your released version 3.2.4 in my POC project. however it seems we might go and build an actual product out of the POC so i was wondering about the status of 4.0.0.

when i run yarn audit on my project i get the following security warnings about simple-hl7:

high │ Prototype Pollution in merge │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ merge │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.1.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ simple-hl7 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ simple-hl7 > watch > exec-sh > merge │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1089985 │ └───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high │ Moment.js vulnerable to Inefficient Regular Expression │ │ │ Complexity │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ moment │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.29.4 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ simple-hl7 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ simple-hl7 > moment │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1095072 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high │ Path Traversal: 'dir/../../filename' in moment.locale │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ moment │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.29.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ simple-hl7 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ simple-hl7 > moment │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1095083 │ └───────────────┴──────────────────────────────────────────────────────────────┘

geezer78 avatar Feb 12 '24 16:02 geezer78

last time I reviewed "vulnerabilities" this there was no way to remove all of them due to the watch package seemingly being unmaintained. i also didn't see any means to exploit these vulnerabilities via this library. so I chose to leave v3 as is. so while the vulnerabilities may be "high" in general, I don't considered them to be high in the context of this library.

v4 is available via npm install simple-hl7@next has no current vulnerabilities. however due to the re-write of the file server to remove the watch dependency i have this as a new major version. i also added some new features that are currently in a beta state. i don't have any plans to promote v4 to the default version in the near future, due to limited bandwith to ensure full compatibility or clearly document breaking changes. i'm leaving it up to consumers to choose which to use based on their needs.

if you are working on a new project, and need to make sure audit doesn't report anything, I would recommend v 4.0.

hitgeek avatar Feb 12 '24 16:02 hitgeek

v3 and v4 no longer list any vulnerabilities in npm audit

hitgeek avatar Jun 14 '24 14:06 hitgeek