javascript icon indicating copy to clipboard operation
javascript copied to clipboard
verified publisher icon airbnb

`npm i eslint-config-airbnb-base` results in 4 high severity vulnerabilities

Open livinglogic-nl opened this issue 3 years ago • 7 comments

It seems installing eslint-config-airbnb-base includes some vulnerabilities:

npm uninstall eslint-config-airbnb-base

Output: found 0 vulnerabilities

npm install eslint-config-airbnb-base

Output: 4 high severity vulnerabilities

livinglogic-nl avatar Dec 30 '22 12:12 livinglogic-nl

What are those vulnerabilities?

Note that any "prototype pollution" vulns simply don't apply to usage in an eslint context.

ljharb avatar Dec 30 '22 19:12 ljharb

This is the output of npm audit (apparently it wants me to downgrade from 15.0.0 to 14.2.1 to fix):

Will install [email protected], which is a breaking change
node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      eslint-config-airbnb-base  >=15.0.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/eslint-config-airbnb-base

I'm not sure how to read this, but it looks that eslint-plugin-import is to blame for at least 3 of those vulnerabilities. 1 of them might still be caused by eslint-config-airbnb-base but not sure.

I'm assuming you're right about the prototype pollution not being an issue, but it would be great if we somehow could prevent these high severity vulnerabilities from popping up.

Otherwise we get used to red flags in the output, and not notice when something really is dangerous.

livinglogic-nl avatar Dec 30 '22 19:12 livinglogic-nl

json5 v1.0.2 has the fix, and the CVE just needs to be updated.

I agree with you, but since 99.99999% of CVE warnings in the JS ecosystem are false positives like this, it's pretty unavoidable.

ljharb avatar Dec 30 '22 19:12 ljharb

I opened https://github.com/github/advisory-database/pull/1548 in order to get the CVE fixed

BGehrels avatar Jan 02 '23 16:01 BGehrels

@BGehrels no need,https://github.com/github/advisory-database/pull/1541 already exists.

again, the best thing for most people in the industry to do when there's a CVE is nothing. Just wait, things will shake out.

ljharb avatar Jan 02 '23 19:01 ljharb

Any Updates?

radhakrishnaqlik avatar Jan 03 '23 06:01 radhakrishnaqlik

Hey I'm a newcomer in this project I would like to contribute.

govind15496 avatar Jan 05 '23 13:01 govind15496

json5 v1.0.2 has been released which fixes this CVE, and the github advisory PR is merged, so just update your lockfiles and you'll be fine.

ljharb avatar Jan 05 '23 18:01 ljharb

Hello @ljharb sir,

I have commented earlier in this section but my comment was put in spam section like this "Hey I'm a newcomer in this project I would like to contribute." So as you know by comment I am newcomer and I would like to contribute in this projetc. Please assign some project give me something to work on. Thanks

govind15496 avatar Jan 06 '23 15:01 govind15496

@govind15496 ah, sorry - there was nothing for anyone to do here, and those kinds of comments are typically done in a spammy fashion.

In any project that has a "help wanted" or similar label, the best thing to do is just start looking at those. However, this project doesn't often require community contributions, so it's probably not the best one to start on - but if you're interested, I'd start here: https://github.com/airbnb/javascript/issues?q=is%3Aissue+is%3Aopen+label%3A%22pull+request+wanted%22

ljharb avatar Jan 06 '23 17:01 ljharb

Thanks

govind15496 avatar Jan 06 '23 18:01 govind15496