Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rc is unhealthy dependency #146

Closed
KillyMXI opened this issue Dec 15, 2020 · 2 comments
Closed

rc is unhealthy dependency #146

KillyMXI opened this issue Dec 15, 2020 · 2 comments

Comments

@KillyMXI
Copy link

rc package seems to be abandoned by it's author years ago and doesn't get the security updates : https://github.com/dominictarr/rc/issues

If it can't be brought back to life then it would be better to replace it with something else.

@stieben
Copy link

stieben commented Apr 6, 2021

tl;dr: I suggest to replace the rc dependency with the fork run-con.

GitHub has published an advisory on 10 Dec 2020 (CVE-2020-7788):

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

The latest version of rc (currently 3 years old) – and by extension the latest version of markdownlint-cli – uses a version of ini below 1.3.6 and is thus affected by the vulnerability. The maintainer of rc, @dominictarr, has expressed 2 months ago that he will not update his rc package to use a newer version of ini – which confirms that rc is indeed an unhealthy dependency.

@goatandsheep has created the fork run-con that looks like a viable alternative.

DavidAnson added a commit that referenced this issue Apr 6, 2021
@stieben
Copy link

stieben commented Apr 7, 2021

I have to correct my previous comment that was based on a wrong understanding of semver. The ini version in the latest rc is defined as ~1.3.0 which is equivalent to 1.3.x, so there should actually be no need for an update of rc, at least in the context of the Prototype Pollution vulnerability mentioned above. Sorry for that.

Switching to the fork may still be the better option because its maintainer looks more eager to maintain it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants