Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Diagnostics package creates transient dependency related to CVE-2021-29060 #1995

Closed
1 of 2 tasks
rcollette opened this issue Dec 21, 2021 · 5 comments
Closed
1 of 2 tasks

Diagnostics package creates transient dependency related to CVE-2021-29060 #1995

rcollette opened this issue Dec 21, 2021 · 5 comments

Comments

@rcollette
Copy link

Please tell us about your environment:

  • winston version?
    • winston@2
    • winston@3

What is the problem?

Winston has a transient dependency on [email protected] which has a ReDOS advisory CVE-2021-29060

└─┬ [email protected]
  └─┬ @dabh/[email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

What do you expect to happen instead?

The diagnostics package has not been updated in three years, it may be time to consider an alternate, forking and inlining.. etc.
@wbt wbt mentioned this issue Dec 23, 2021
Closed
@wbt
Copy link
Contributor

wbt commented Dec 23, 2021

Tagging @DABH as a possibly easier PR route might be an update to that package.

@DABH
Copy link
Contributor

DABH commented Dec 23, 2021

If we can fix DABH/diagnostics (which I own) — if anyone wants to make a PR for that for example — I can merge that and we can update the direct dependency in Winston. Or if the community has a strong preference for an alternative (and especially if a PR can be prepared to replace diagnostics with that), then that is fine too

@wbt
Copy link
Contributor

wbt commented Jan 7, 2022
edited
Loading

The issue was fixed in the color package in this commit July 17, 2021 which made it into [email protected] (same date), a few days before the security advisory was published. Colorspace updated its dependency on color from 3.0.x to ^3.1.3 (which addresses the issue even if not obvious at first glance) in this commit the day after the release of the advisory. That was released as 1.1.3 on Aug. 25. @dabh/diagnostics has its dependency on colorspace set to 1.1.x, so an 'npm audit fix' should update the version of colorspace used by @dabh/diagnostics to one without the vulnerability.

Therefore, I don't think any PR or code change is actually needed here.

While I agree that it's not great to have a dependency on a package that has suffered from lack of maintenance for so long, and might classify that as an issue for another repo with a completely different maintenance team, this package (Winston) has the exact same issue for the exact same reasons involving the exact same core maintainer, so I wouldn't classify that as an issue for Winston.

What do you think, @rcollette? Should we close this Issue?

@wbt wbt mentioned this issue Jan 10, 2022
Closed
@wbt
Copy link
Contributor

wbt commented Jan 10, 2022
edited
Loading

For reference, this is the commit where we switched to using a fork of the diagnostics package, to avoid requiring git for installs on Docker images.

@rcollette
Copy link
Author

@wbt - I think with 3.3.4 released, this issue can be closed.

@DABH DABH closed this as completed Jan 10, 2022
rcollette referenced this issue in Marak/colors.js Jan 10, 2022
@Marak
Bump to v1.4.44-liberty-2
6bc50e7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rcollette @wbt @DABH