Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical Security Patch url-parse 1.5.10 #674

Closed
suhail-n opened this issue Mar 9, 2022 · 12 comments
Closed

Critical Security Patch url-parse 1.5.10 #674

suhail-n opened this issue Mar 9, 2022 · 12 comments

Comments

@suhail-n
Copy link
Contributor

suhail-n commented Mar 9, 2022

Problem

The current url-parse version 1.5.3 has the following critical vulnerabilities CVE-2022-0691, and CVE-2022-0686

Fix

This problem has been resolved in [email protected]

Change package.json from

 "dependencies": {
    "bitsyntax": "~0.1.0",
    "bluebird": "^3.7.2",
    "buffer-more-ints": "~1.0.0",
    "readable-stream": "1.x >=1.1.9",
    "url-parse": "~1.5.3"
  },

to:

 "dependencies": {
    "bitsyntax": "~0.1.0",
    "bluebird": "^3.7.2",
    "buffer-more-ints": "~1.0.0",
    "readable-stream": "1.x >=1.1.9",
    "url-parse": "~1.5.10"
  },
@tbreeding
Copy link

I updated it locally and ran the tests and they all passed.

@michal-ayash
Copy link

We're blocked on that issue. Do you have ETA?

@suhail-n
Copy link
Contributor Author

We're blocked on that issue. Do you have ETA?

On your project try the command npm update url-parse

This shouldn't create any breaking changes. I applied this fix for my project and now I'm waiting for the fix to be applied to amqplib.

@davidsousa5
Copy link

We're blocked on that issue. Do you have ETA?

On your project try the command npm update url-parse

This shouldn't create any breaking changes. I applied this fix for my project and now I'm waiting for the fix to be applied to amqplib.

Do you have any idea when do you will release a new version with a fix for this issue?

@michal-ayash
Copy link

michal-ayash commented Mar 20, 2022
edited
Loading

Any update??

@kibertoad
Copy link
Collaborator

kibertoad commented Mar 20, 2022
edited
Loading

This PR is blocked by CI failing. Anyone who could contribute fix for that would be very welcome.

@suhail-n
Copy link
Contributor Author

If anyone needs the fix right away, I published a fork with the fix on NPM

Installation

npm i @suhailn/amqplib

Usage

const amqplib = require('@suhailn/amqplib')

Pull Request

I also went and published my pull request in PR-675

@suhail-n
Copy link
Contributor Author

The change has been merged in. See PR-675

@michal-ayash
Copy link

@suhail-n, we need the fix in the original branch. any ETA?

@michal-ayash
Copy link

@suhail-n as we need the formal npm package and not this fork - I opened a new issue here, please handle that and don't close until you fix this in the original branch

@suhail-n
Copy link
Contributor Author

The change should be in main branch. My merge was successful. That's why I closed it.

@michal-ayash
Copy link

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kibertoad @suhail-n @tbreeding @michal-ayash @davidsousa5