ReDoS in unmaintained path-parse dependency

[TayHobbs]

path-parse has a security vulnerability that has been reported but not fixed in two years (jbgutierrez/path-parse#8). Additionally, it still has not enabled 2fa. Is it possible for this project to remove path-parse as a dependency or move to a new library?

Thank you!

[ljharb]

How can you possibly know if it’s enabled 2FA?

For the record, i don’t consider this a vulnerability in path-parse or in resolve - if you are using resolve with unsanitized user-created paths, hen you have the vulnerability.

Do you have an alternative library to suggest?

[TayHobbs]

Apologies, meant to link this issue in my initial comment: jbgutierrez/path-parse#5 is what I'm using as my basis for not having 2FA.

Potentially parse-path which looks well-maintained and the documentation says it works with local paths or native node.js path.parse.

Resolve is a dependency of a dependency in our projects and path-parse showed up as a moderate security vulnerability in our report. We are looking to reduce our security vulnerability report to as low as possible. As I did not see any issues referencing the unmaintained dependency in this project, I thought I would make an issue to alert the maintainers.

Thank you for your time

[ljharb]

That has a lot of dependencies - and two of them are query string parsers. I'd prefer to find something simpler. We also need to retain node compatibility < v0.6.

In your report, is there a link to a public CVE or vulnerability report? or is there just that one issue?

Either way, you could use (once they exist) npm overrides to replace path-parse with require('path').parse if you know you have a newer node version.

[TayHobbs]

Our report just points to that issue. Thank you for the guidance, we'll work with that and create an exception for path-parse if resolve is not concerned with it.

[ljharb]

I don't think it's a legitimate security concern, no - but if there's an easy way to avoid false positive warnings like this, I'm happy to accept such a change.

[TayHobbs]

I think the easiest fix is for path-parse to address or close the issue so it doesn't show up in reports, but that is not something resolve can fix. At this point, I think we can close this issue based on our discussion.

[alasdairhurst]

The public CVE for this issue is https://nvd.nist.gov/vuln/detail/CVE-2021-23343

[modestfake]

We also need to retain node compatibility < v0.6.

@ljharb just curious, why do you want to support < v0.6? Current LTS versions of Node.js are 12 and 14.

[ljharb]

For one, because we already do, and it would be semver-major to drop it.

Separately, LTS status is irrelevant; just because node won’t support it doesn’t mean package authors shouldn’t.

[ljharb]

v1.0.7 of path-parse should address the vulnerability.