Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli/package-lock.json forces insecure minimatch 3.0.4 #1696

Closed
davidcopp opened this issue Mar 4, 2022 · 2 comments · Fixed by #1704
Closed

cli/package-lock.json forces insecure minimatch 3.0.4 #1696

davidcopp opened this issue Mar 4, 2022 · 2 comments · Fixed by #1704

Comments

@davidcopp
Copy link

davidcopp commented Mar 4, 2022

protobuf.js version: 6.11.2

Upon installing the package, the cli subpackage brings in (via transitive dep) minimatch 3.0.4. This version has been flagged with a security vulnerability. A version 3.0.5 (or higher) resolves the vulnerability, but cannot be installed via npm update due to cli/package-lock.json.

At this time the latest 3.x version is minimatch 3.1.2.

  • Vulnerability reported by JFrog Xray: XRAY-198521
  • Vulnerable Component: minimatch:3.0.4
  • Severity: High
  • CVSS Score: 4.3 (v2) 7.5 (v3)
  • Fix version: 3.0.5
  • Summary: minimatch minimatch.js braceExpand() Function Improper Regular Expression DoS
  • Description: minimatch contains a flaw in the braceExpand() function in minimatch.js that is triggered as an improper regular expression is used to match patterns for brace expansion. This may allow a context-dependent attacker to hang or slow down a Node process using the library.
# in a dummy 't' project where protobufjs is the only installed package...

$ npm ls minimatch
[email protected] (...omitted path...)/t
└── (empty)

$ cd node_modules/protobufjs/cli
$ npm ls minimatch
[email protected] (...omitted path...)/t/node_modules/protobufjs/cli
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]
richgerrard added a commit to richgerrard/protobuf.js that referenced this issue Mar 31, 2022
If I follow this, glob packages minimatch.  Minimatch released a fix, glob also has a newer build, picking this up should pick up that.
Fixes protobufjs#1696
Fixes protobufjs#1697
Fixes protobufjs#1698
@hi-artem
Copy link

hi-artem commented May 4, 2022

Maintainers, any update on this?

alexander-fenster added a commit that referenced this issue May 20, 2022
* Patch minimatch vulnerability

If I follow this, glob packages minimatch.  Minimatch released a fix, glob also has a newer build, picking this up should pick up that.
Fixes #1696
Fixes #1697
Fixes #1698

* chore: update lockfile

Co-authored-by: Alexander Fenster <[email protected]>
@perez-rob
Copy link

i just got flagged that one of my repo's had this and now I can't see that repo anymore. Does GH delete repos with such vulnerabilities?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants