Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: potential vulnerability #9814

Closed
Infuser opened this issue Aug 2, 2021 · 6 comments
Closed

security: potential vulnerability #9814

Infuser opened this issue Aug 2, 2021 · 6 comments
Labels
security issues related to security

Comments

@Infuser
Copy link

Infuser commented Aug 2, 2021
edited by vince-fugnitto
Loading

Bug Description

There is low known vulnerability in @theia/application-package from a nested dependency:

=== npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @theia/application-package                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @theia/application-package > changes-stream > debug          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/534                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 80 scanned packages
@vince-fugnitto
Copy link
Member

@Infuser please note that vulnerabilities should not be disclosed publicly, we have a pull-request in review with the proper steps to report:

@vince-fugnitto vince-fugnitto changed the title Blackduck scan picking up theia dependency security: potential vulnerability Aug 2, 2021
@vince-fugnitto vince-fugnitto added the security issues related to security label Aug 2, 2021
@Infuser
Copy link
Author

Infuser commented Aug 2, 2021

Apologies and point noted Vince, assume you will now relay the issue and get it resolved

Thanks

@vince-fugnitto vince-fugnitto reopened this Aug 2, 2021
@vince-fugnitto
Copy link
Member

@Infuser my apologies about deleting the initial comment, for known vulnerabilities it is fine, but for newly disclosed vulnerabilities we should follow the proper procedure. Any reason as to why this low vulnerability was of interest to you? We try our best to resolve such vulnerabilities but we prioritize those that are of moderate or higher severity.

@Infuser
Copy link
Author

Infuser commented Aug 3, 2021

Hi Vince

Its just our company policy to resolve them, not too worry its not a major problem for us but would be good to see it resolved in the next 6 months

@vince-fugnitto
Copy link
Member

Its just our company policy to resolve them, not too worry its not a major problem for us but would be good to see it resolved in the next 6 months

@Infuser please don't hesitate in contributing updates to this dependency and others if you're interested 👍

@vince-fugnitto
Copy link
Member

The vulnerability was fixed thanks to #10764.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security issues related to security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Infuser @vince-fugnitto