A high severity vulnerability introduced in your package #995
Comments
|
Thanks for the issue! It's seems like a straightforward solution is to simply update However, I'm not sure how to release patch version to a previous major release using |
|
@iiroj Thanks for your feedback and help. |
|
I think creating a branch from a latest tagged version in question could work as expected with semantic release. |
|
@okonet Thanks a lot. |
|
According to the semantic-release guide here, I pushed a 8.x branch here: https://github.com/okonet/lint-staged/tree/8.x. However, version 8 still used Travis for the CI integration so this will essentially do nothing. I guess the easiest would be for you to locally make the version by checking out the branch and running What do you think, @okonet? |
|
Yep that makes sense |
|
So, any update? Is there a v8 release with the fixes? Are you still trying to get the Travis CI setup up and running again? Was this declined and no fix will be provided? An update would be really nice. :) |
|
I don't have permissions to publish myself, so @okonet would have to do it. |
|
Hello! @okonet would it be possible to release a I will try to temporally point the package to the Thank you! 🙌🏻 |
|
Please update to latest. We don't support old releases since it's too much effort. |
|
Can this be closed? |
Hi, @iiroj @okonet, I’d like to report a vulnerability introduced in your package lint-staged:
Issue Description
A vulnerability CVE-2020-7707 detected in package property-expr<2.0.3 is transitively referenced by lint-staged@8.2.1. We noticed that such a vulnerability has been removed since lint-staged@9.0.0.
However, lint-staged's popular previous version lint-staged@8.2.1 (193,100 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 162 downstream projects, e.g., @burst/cli 0.0.176, infini 0.2.15, cx-builder 0.0.53-54, wci-build 3.1.0, @ac-ui/react-components 2.0.6, @lenanpm/for9a@0.1.0, etc.).
As such, issue CVE-2020-7707 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade lint-staged from version 8.2.1 to (>=9.0.0). For instance, lint-staged@8.2.1 is introduced into the above projects via the following package dependency paths:
(1)
@lenanpm/for9a@0.1.0 ➔ react-imgpro@1.4.1 ➔ lint-staged@8.2.1 ➔ yup@0.27.0 ➔ property-expr@1.5.1......
The projects such as react-imgpro, which introduced lint-staged@8.2.1, are not maintained anymore. These unmaintained packages can neither upgrade lint-staged nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package lint-staged@8.2.1?
Suggested Solution
Since these inactive projects set a version constaint 8.2.* for lint-staged on the above vulnerable dependency paths, if lint-staged removes the vulnerability from 8.2.1 and releases a new patched version lint-staged@8.2.2, such a vulnerability patch can be automatically propagated into the 162 affected downstream projects.
In lint-staged@8.2.2, you can kindly try to perform the following upgrade:
yup ^0.27.0 ➔ ^0.28.2;Note:
yup@0.28.2(>=0.28.2) directly depends on property-expr@2.0.4 (a vulnerability CVE-2020-7707 patched version)
Thank you for your contributions.
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: