Memory leak detected in version 1.0.6 by veracode

[ccalderon9411]

Veracode has detected a memory leak vulnerability

[nik750]

Any update on this vulnarability?

[nik750]

Memory Leak: inflight is vulnerable to a Memory Leak. The vulnerability is due to lack of restrictions on how many callbacks the library can concurrently support, which can result in a NodeJS out of heap memory crash.
Still getting this error.

[Cuttsy27]

Also wondering if this issue persists? Looks like glob up to glob@9 depends on inflight and other packages in our project depend on glob@<9 so we are stuck with the memory leak warnings in CI

[Tedderic]

Hello, any update on this?

[krishnamohanparuchuri]

veracode detected a memory leak vulnerability @1.0.6

[rennerg]

Is this repo dead?

[relaxnow]

In isaacs/node-glob#435 @isaacs mentioned that newer versions of glob >= 9 no longer use inflight.
The remediation for those using older versions of glob would then, presumably be, to upgrade to a newer version.

Sadly, this may not be an option for projects with other transitive dependencies (npmjs.com lists 1628 dependents: https://www.npmjs.com/package/inflight?activeTab=dependents ).
These would all be advised to move away as this library looks to be abandoned.

Unfortunately, in the mean-time applications that transitively use this library would need to determine how they are using this library to determine if they are vulnerable.
Note that the impact of this would be a Denial of Service but would require an attacker to trigger many requests (we were able to reproduce this with millions of simple requests, that may be less in other cases).

It looks like @GreihMurray has been working on using an arbitrary limit of 500 concurrent requests: main...GreihMurray:inflight-fork:main .
This might help but would need to be tested. Also 500 requests may not be enough for some purposes and I'm not sure what happens > 500 requests.

Maybe someone else (more familiar with how this is used) could help out here and provide a PR / fixed fork?

[GreihMurray]

In isaacs/node-glob#435 @isaacs mentioned that newer versions of glob >= 9 no longer use inflight.
The remediation for those using older versions of glob would then, presumably be, to upgrade to a newer version.

Sadly, this may not be an option for projects with other transitive dependencies (npmjs.com lists 1628 dependents: https://www.npmjs.com/package/inflight?activeTab=dependents ).
These would all be advised to move away as this library looks to be abandoned.

Unfortunately, in the mean-time applications that transitively use this library would need to determine how they are using this library to determine if they are vulnerable.
Note that the impact of this would be a Denial of Service but would require an attacker to trigger many requests (we were able to reproduce this with millions of simple requests, that may be less in other cases).

It looks like @GreihMurray has been working on using an arbitrary limit of 500 concurrent requests: main...GreihMurray:inflight-fork:main .
This might help but would need to be tested. Also 500 requests may not be enough for some purposes and I'm not sure what happens > 500 requests.

Maybe someone else (more familiar with how this is used) could help out here and provide a PR / fixed fork?

I've done a few basic tests to try and remedy this with no success. 500 was an arbitrary number which I just selected more or less at random while testing. Unfortunately I am unable to get it to work and would agree that the best practice is likely upgrade other dependencies as possible

[thetumper]

If anyone is seeing this transitively due to usage of pino-pretty, I entered an issue there:
mcollina/help-me#17

And related PR to fix:
mcollina/help-me#18

Please give those a thumbs up if you are affected. Thanks!

[0xSmiley]

Any update on this?

[isaacs]

@0xSmiley No

[isaacs]

#5 (comment)