yarnpkg
[Bug?]: Vulnerability introduced through `parse-path` transitive dependency
Self-service
- [X] I'd be willing to implement a fix
Describe the bug
parse-path@4 is vulnerable to Authorization Bypass, and @yarnpkg/plugin-git has a transitive dependency on it, via its dependency on git-url-parse@11. This can be resolved by upgrading to git-url-parse@12.
To reproduce
const { promises: { readFile } } = require('fs')
await packageJsonAndInstall({
dependencies: {
'@yarnpkg/plugin-git': '3.0.0-rc.12'
}
})
expect(await readFile('yarn.lock', 'utf8')).not.toContain('parse-path@npm:4')
Environment
System:
OS: macOS 12.4
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Binaries:
Node: 16.14.2 - /private/var/folders/82/cn2lb31s5hd572v7x5wkc1vc0000gq/T/xfs-89ab454f/node
Yarn: 4.0.0-rc.7-dev - /private/var/folders/82/cn2lb31s5hd572v7x5wkc1vc0000gq/T/xfs-89ab454f/yarn
npm: 8.9.0 - ~/.nvm/versions/node/v16.14.2/bin/npm
Additional context
No response
Have you verified that this vulnerability affects Yarn or is it just a warning?
Hi! 👋
This issue looks stale, and doesn't feature the reproducible label - which implies that you didn't provide a working reproduction using Sherlock. As a result, it'll be closed in a few days unless a maintainer explicitly vouches for it or you edit your first post to include a formal reproduction (you can use the playground for that).
Note that we require Sherlock reproductions for long-lived issues (rather than standalone git repositories or similar) because we're a small team. Sherlock gives us the ability to check which bugs are still affecting the master branch at any given point, and decreases the amount of code we need to run on our own machines (thus leading to faster bug resolutions). It helps us help you! 😃
If you absolutely cannot reproduce a bug on Sherlock (for example because it's a Windows-only issue), a maintainer will have to manually add the upholded label. Thanks for helping us triaging our repository! 🌟
