compare-func icon indicating copy to clipboard operation
compare-func copied to clipboard

Published 20 hours ago verified publisher icon stevemao

Is it possible to remove the vulnerability introduced by package dot-prop?

Open evansrobert opened this issue 3 years ago • 2 comments

Hi, @stevemao @jimmywarting, I stumbled upon a vulnerability introduced by package [email protected]:

Issue Description

When I build my project, I notice that a vulnerability CVE-2020-8116 detected in package dot-prop(>1.0.1 <4.2.1,>=5.0.0 <5.1.1) is directly referenced by [email protected]. However, [email protected] is so popular that a large number of latest versions of active and popular downstream projects depend on it (338,465 downloads per week and about 227 downstream projects, e.g., aegir 34.1.0, wbu-design-system 28.0.2, conventional-changelog-sprucelabs 1.1.2, @sprucelabs/semantic-release 4.0.6, ipfs-interop 6.0.0, etc.). In this case, the vulnerability CVE-2020-8116 can be propagated into these downstream projects and expose security threats to them. As you can see, [email protected] is introduced into the above projects via the following package dependency paths: (1)@ef-class/[email protected][email protected][email protected][email protected][email protected][email protected] (2)@uirouter/[email protected][email protected][email protected][email protected] ......

I know that it's kind of you to have removed the vulnerability since [email protected]. But, in fact, the above large amount of downstream projects cannot easily upgrade compare-func from version 1.3.4 to (>=2.0.0): The projects such as conventional-github-releaser and conventional-changelog-ui-router-core, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade compare-func nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package [email protected]?

Suggested Solution

Since these inactive projects set a version constaint 1.3.* for compare-func on the above vulnerable dependency paths, if compare-func removes the vulnerability from 1.3.4 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the downstream projects.

In [email protected], maybe you can try to perform the following upgrade: dot-prop ^3.0.0 ➔ ^4.2.1;
Note: [email protected](>=4.2.1 <5.0.0) has fixed the vulnerability CVE-2020-8116.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.

Best regards, ^_^

evansrobert avatar Aug 19 '21 07:08 evansrobert

@evansrobert feel free to submit a PR

stevemao avatar Apr 04 '22 10:04 stevemao

@stevemao https://github.com/stevemao/compare-func/pull/13

JonasDev17 avatar Oct 27 '23 07:10 JonasDev17