Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve security vulnerabilities in regex dependencies. #3154

Closed
jstirnaman opened this issue Sep 21, 2021 · 4 comments · Fixed by #3750
Closed

Resolve security vulnerabilities in regex dependencies. #3154

jstirnaman opened this issue Sep 21, 2021 · 4 comments · Fixed by #3750
Assignees
@jstirnaman
Labels
dependencies Pull requests that update a dependency file Pending more info Waiting on response from requester or other team

Comments

@jstirnaman
Copy link
Contributor

Dependabot detected regex libraries with vulnerabilities. Update dependencies if possible.
@jstirnaman jstirnaman added the dependencies Pull requests that update a dependency file label Sep 21, 2021
@jstirnaman jstirnaman self-assigned this Sep 21, 2021
jstirnaman added a commit that referenced this issue Sep 21, 2021
@jstirnaman
fix: update hugo and other deps to fix security vulnerabilities in re…
91b268f 
…gex libraries. (#3154)
@jstirnaman jstirnaman mentioned this issue Sep 21, 2021
Closed
@jstirnaman
Copy link
Contributor Author

Dismissed the alerts for now. I submitted them as issues to https://github.com/postcss/postcss-cli. The vulnerabilities are due to postcss-cli's dependencies. Everything else uses later versions of the regex packages. Options: 1) Since they're dev dependencies, ignore them for now until postcss-cli is updated or raises more problems, 2) remove dependencies from package.json and go back to manual installation.

@kelseiv kelseiv added the Pending more info Waiting on response from requester or other team label Oct 4, 2021
@jdstrand
Copy link
Contributor

jdstrand commented Jan 25, 2022
edited
Loading

This issue isn't in postcss-cli, but in find-versions pulled in from hugo-extended. Eg:

$ yarn why semver-regex
...
=> Found "[email protected]"
info Reasons this module exists
   - "hugo-extended#bin-wrapper#bin-version-check#bin-version#find-versions" depends on it
   - Hoisted from "hugo-extended#bin-wrapper#bin-version-check#bin-version#find-versions#semver-regex"

find-versions is updated for semver-regex in 5.0.0. bin-version 6.0.0 specifies find-versions 5.0.0. bin-version-check 5.0.0 specifies bin-version 6.0.0. bin-wrapper has not been updated for bin-version and bin-version-check: https://github.com/kevva/bin-wrapper/blob/master/package.json#L27. Unfortunately, bin-wrapper seems unmaintained: kevva/bin-wrapper#79.

Fortunately, this commit to hugo-extended removes the bin-wrapper dependency: jakejarvis/hugo-extended@d87c63f#diff-053150b640a7ce75eff69d1a22cae7f0f94ad64ce9a855db544dda0929316519. This should resolve itself after upgrading to https://github.com/jakejarvis/hugo-extended/tree/v0.84.0. I suggest upgrading to at least https://github.com/jakejarvis/hugo-extended/commits/v0.92.0 though since it resolves other dependencies.

@jdstrand
Copy link
Contributor

jdstrand commented Feb 1, 2022

@jstirnaman - hey, were you able to test the updated hugo-extended?

@jstirnaman jstirnaman mentioned this issue Feb 3, 2022
Merged
2 tasks
@XhmikosR
Copy link

XhmikosR commented Feb 9, 2022
edited
Loading

@jstirnaman if you are confident about your updates happy to accept a PR upstream in hugo-bin. Or if someone's up to it, pick up my patches and release scoped versions kevva/bin-wrapper#79 (comment) so that everyone benefits from it :)

BTW I have a testing branch with my forks https://github.com/fenneclab/hugo-bin/tree/dev-packages which fixes all security vulns and slightly reduces the deps:

main

C:\Users\xmr\Desktop\hugo-bin>npm i --production

> [email protected] postinstall
> rimraf vendor && node lib/install.js

Hugo binary successfully installed!

added 169 packages, and audited 170 packages in 6s

15 packages are looking for funding
  run `npm fund` for details

5 moderate severity vulnerabilities

dev-packages

C:\Users\xmr\Desktop\hugo-bin>npm i --production

> [email protected] postinstall
> rimraf vendor && node lib/install.js

Hugo binary successfully installed!

added 162 packages, and audited 163 packages in 5s

37 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jstirnaman jstirnaman

Labels
dependencies Pull requests that update a dependency file Pending more info Waiting on response from requester or other team
Projects
None yet
Milestone
No milestone
4 participants
@jstirnaman @XhmikosR @jdstrand @kelseiv