Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Companion depends on two modules with moderate CVEs #3384

Closed
martinstreicher opened this issue Dec 21, 2021 · 1 comment · Fixed by #3541
Closed

Companion depends on two modules with moderate CVEs #3384

martinstreicher opened this issue Dec 21, 2021 · 1 comment · Fixed by #3541
Assignees
@mifi
Labels
Bug

Comments

@martinstreicher
Copy link 

uppy-companion % npm audit 
# npm audit report

redis  2.6.0 - 3.1.0
Potential exponential regex in monitor mode - https://github.com/advisories/GHSA-35q2-47q7-3pc3
fix available via `npm audit fix --force`
Will install @uppy/[email protected], which is a breaking change
node_modules/node-redis-pubsub/node_modules/redis
  node-redis-pubsub  1.0.3 - 4.0.0
  Depends on vulnerable versions of redis
  node_modules/node-redis-pubsub
    @uppy/companion  *
    Depends on vulnerable versions of node-redis-pubsub
    Depends on vulnerable versions of validator
    node_modules/@uppy/companion

validator  <=13.6.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
 Inefficient Regular Expression Complexity in Validator.js - https://github.com/advisories/GHSA-xx4c-jj58-r7x6
fix available via `npm audit fix --force`
Will install @uppy/[email protected], which is a breaking change
node_modules/validator
  @uppy/companion  *
  Depends on vulnerable versions of node-redis-pubsub
  Depends on vulnerable versions of validator
  node_modules/@uppy/companion

4 vulnerabilities (2 low, 2 moderate)

To address all issues (including breaking changes), run:
  npm audit fix --force
@mifi
Copy link
Contributor

mifi commented Mar 8, 2022

I just checked and it seems our validator version is no longer vulnerable:

companion mifi$ corepack yarn npm audit
└─ redis: 2.8.0
   ├─ Issue: Potential exponential regex in monitor mode
   ├─ URL: https://github.com/advisories/GHSA-35q2-47q7-3pc3
   ├─ Severity: low
   ├─ Vulnerable Versions: >=2.6.0 <3.1.1
   ├─ Patched Versions: >=3.1.1
   ├─ Via: redis
   └─ Recommendation: Upgrade to version 3.1.1 or later

will create a PR for redis
thanks!

mifi added a commit that referenced this issue Mar 8, 2022
@mifi
upgrade node-redis-pubsub
9341a99 
fixes #3384
@mifi mifi mentioned this issue Mar 8, 2022
Merged
@mifi mifi closed this as completed in #3541 Mar 8, 2022
mifi added a commit that referenced this issue Mar 8, 2022
@mifi
upgrade node-redis-pubsub (#3541)
7b74148 
fixes #3384
HeavenFox pushed a commit to docsend/uppy that referenced this issue Jun 27, 2023
@mifi
upgrade node-redis-pubsub (transloadit#3541)
6b9ecf4 
fixes transloadit#3384
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mifi mifi

Labels
Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

upgrade node-redis-pubsub transloadit/uppy
2 participants
@martinstreicher @mifi