open-wc icon indicating copy to clipboard operation
open-wc copied to clipboard

Published 20 hours ago verified publisher icon open-wc

[@open-wc/eslint-config]: severity vulnerability in `trim-newlines`

Open jarrodek opened this issue 4 years ago • 4 comments

Yesterday I started seeing audit reports like this:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ trim-newlines                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.1 <4.0.0 || >=4.0.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @open-wc/eslint-config [dev]                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @open-wc/eslint-config > eslint-plugin-wc >                  │
│               │ validate-element-name > meow > trim-newlines                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1753                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 1162 scanned packages
  1 vulnerability requires manual review. See the full report for details.

If possible, please, update the dependency.

jarrodek avatar Jun 08 '21 18:06 jarrodek

This vulnerability doesn't affect meow and therefore doesn't affect us. You don't need to worry about it. https://github.com/sindresorhus/meow/pull/185#issuecomment-856523895

Fixing the alert will depend on all the packages in the chain updating to a version that doesn't trigger it. meow and validate-element-name have already been updated, but they also are ESM-only packages now and I don't know if eslint-plugin-wc can move to ESM yet. If that happens then @open-wc/eslint-config can update and resolve the alert, but I don't know if it will happen soon.

stephenwade avatar Jun 10 '21 22:06 stephenwade

I have to comply with organization standards and each alert like this means tons of messages from the info sec team to fix this and me explaining that this is a dev dependency and not really directly causing a vulnerability. It's not bad, but it is a pain :)

jarrodek avatar Jun 11 '21 17:06 jarrodek

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

stale[bot] avatar Jul 08 '21 08:07 stale[bot]

The stale bot may clean up issues for new features that do not gain traction, but of course not for QA issues. Please fix the bot.

sanmai-NL avatar Jul 08 '21 09:07 sanmai-NL