CVE-2023-45853 (zlib) found on main

[github-actions]

A new vulnerability for zlib 1.2.13.1-motley was found:
Vulnerability ID: CVE-2023-45853
Vulnerability URL: https://nvd.nist.gov/vuln/detail/CVE-2023-45853
Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/6581614069

[Neustradamus]

Linked to:

• Please release 1.3.1 to fix CVE-2023-45853 (9.8 CRITICAL) madler/zlib#868

[richardlau]

I'm fairly certain that Node.js is not using/exposing minizip -- there are no references to minizip in deps/zlib/zlib.gyp. We don't provide zip support in Node.js (although it has been requested (nodejs/node#45434)).

In any case we're using the chromium fork of zlib, updated weekly (every Sunday with commits that were made up to the prior Friday): tools/dep_updaters/update-zlib.sh

[Neustradamus]

@richardlau: Can you look for zlib 1.3.0 (2023-08-18):

• https://github.com/madler/zlib/releases

[richardlau]

@richardlau: Can you look for zlib 1.3.0 (2023-08-18):

* https://github.com/madler/zlib/releases

🤷. Node.js has two copies of the chromium fork of zlib (see nodejs/node#33848 and nodejs/node#47493). Porting patches across from non-forked zlib is going to be problematic as we have weekly automation running, that syncs from the chromium zlib fork every week, which would overwrite any patches we make.

Node.js used to use zlib from https://github.com/madler/zlib/ but it was switched out for the chromium fork for performance reasons: nodejs/node#31201

You can see the current chromium fork of zlib: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/third_party/zlib/
We don't control that.