Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in inflight #705

Open
izumo27 opened this issue Dec 8, 2023 · 5 comments
Open

Vulnerability in inflight #705

izumo27 opened this issue Dec 8, 2023 · 5 comments

Comments

@izumo27
Copy link

izumo27 commented Dec 8, 2023

This package depends on inflight and it is vulnerable.
https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

$ npm ls inflight --omit=dev
@mapbox/[email protected] /Users/...
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

Any plans for a fix?
@pnappa
Copy link
Contributor

pnappa commented Dec 17, 2023

I opened a fix a few days ago. #707

@pnappa
Copy link
Contributor

pnappa commented Feb 26, 2024

As a strawpoll, I'm curious what packages you guys are using that depend on this package? It looks like it's not been maintained for a bit, and now there's a few alternatives to use, so it may be wise to try and get those dependencies updated to use a more up-to-date package.

Personally, I use node-argon, which used to depend on this, not anymore, they switched to just using node-gyp-build+prebuildify. See this commit: ranisalt/node-argon2@b476028#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519

@Luen Luen mentioned this issue Mar 5, 2024
Closed
@Luen
Copy link

Luen commented Mar 5, 2024

Looks like glob was updated in rimraf v4 & v5 which removed the inflight package.

@sabex
Copy link

sabex commented Mar 26, 2024

This fix would be good, we use libxmljs which pulls in node-pre-gyp - so we are impacted by this vulnerability. accepting @pnappa pull request would be great.

@cclauss
Copy link
Collaborator

cclauss commented Apr 11, 2024
edited
Loading

% npm audit

# npm audit report

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

2 vulnerabilities (1 moderate, 1 critical)

@pnappa pnappa mentioned this issue Jul 1, 2024
Merged
@vuepdfviewer vuepdfviewer mentioned this issue Jul 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Luen @pnappa @cclauss @izumo27 @sabex