-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update npm on all supported release lines to address CVE scored 9.8 in minimist package #32296
Comments
seems to have been forked and released in v1.0.3 without the minimalist deps : https://github.com/isaacs/node-mkdirp |
This should be posted to the npm issue tracker instead. |
I did, thx |
I think we should keep this open because we'll need to issue new releases on all LTS line. |
Can the subject be changed to something more specific, is this the plan?
Right now, subjects suggests we'll be updating a package deep inside npm's deps, which I assume/hope is not the intention. |
The intention should be for npm to do releases for all those lines and we'll just backport those to all lts lines |
cc @nodejs/tsc this is important. |
I think this is not important because mkdirp doesn't use minimist in its API (only in the CLI, which is never used by npm or any of its dependencies). |
It is because most vulnerability scanners are going to detect this automatically. |
If we want to quickly fix this on our side, we can probably just |
I think hacking deps/npm sets a bad precedent, but given a 10.x is going out tomorrow, maybe it can update npm to the latest (assuming latest fixes this). |
AFAIK there isn't a fixed version of npm yet. v6.14.2 (the latest npm release) still has minimist@0.08: https://github.com/npm/cli/blob/v6.14.2/node_modules/minimist/package.json Tracking bug: npm/cli#1027 |
We've floated patches to npm in the past, fwiw. I would be a bit more comfortable with patching the tree to squelch any dependency warnings than shipping with a version of npm that hasn't gone out in any other release lines. |
I asked the npm folks in the openjs slack and Darcy confirmed they will be shipping an npm release today so if this can wait out a bit for that maybe that can work |
There's an OpenSSL update due out today (#32210). That could potentially go out in the same release as the npm update. |
I will wait a tiny bit with the next v13 release to get a fix into that release. |
I don't have an active line to any npm folks these days but if they want to co-ordinate on a node-gyp release then I'd like to hear about it. We have a flagged minimist in our dep tree via mkdirp too but we try and keep our dep ranges roughly in line with npm's too. So for them to ship a "safe" npm will require a "safe" node-gyp. (Also, this whole minimist issue is beyond bogus, I hate this binary security culture we have that incentivises certain companies to make package maintainers lives hard). |
Actually, we (node-gyp) probably don't need to do anything to synchronize, we ship with |
FYI, as Isaac released a 0.5.3 of mkdirp, a simple npm update (actually two) fixes the CVE in a node 12.x :
|
What actual vulnerability is being addressed here? The CVE itself seems to indicate that the attack vector is "you can craft a malicious command line argument to attack yourself", which doesn't seem like something particularly urgent. Additionally, it seems like mkdirp can be updated to v0.5.3 trivially, even as a floating patch. Can that be pulled in and shipped in v13 ASAP, especially if that has to start a two-week clock? |
My opinion is that there is no vulnerability. I strongly disagree on considering this a vulnerability on The problem is that every vulnerability scanner is going to pinpoint Node.js as vulnerable because those files are on disk. This is causing disruption to all enterprise deployments: most companies have a very strict rule of no known vulnerabilities. As a result, we have to ship releases asap to all lines, without waiting for the 2 weeks period. cc @nodejs/releasers |
I agree 100% with @mcollina. This is unfortunately forcing us to make a release when it should not have. Let's just do it and move on. |
Thanks for clarifying, that position makes sense to me. |
v12.x (#32313) and v10.x (#31984) have releases due Tuesday 24th March that the necessary patch/update could be pulled into. Is that timeframe sufficient? It's possible v13.x could be sooner (@BridgeAR nodejs/Release#487 (comment)) Are we still waiting on a new version of |
I think that's sufficient.
I don't think npm has fixed it yet unfortunately. |
npm update has landed going to make a PR rn |
PR-URL: #32368 Refs: #32296 Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #32368 Refs: #32296 Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #32368 Refs: #32296 Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #32368 Refs: #32296 Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: #32368 Refs: #32296 Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Hi, thanks for your quick and efficient work on this. Could we release a node 12.x with npm 6.14.4 which seems to fix deeper the issue ? npm/cli#1059 |
PR-URL: nodejs#32368 Refs: nodejs#32296 Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Backport-PR-URL: #32527 PR-URL: #32368 Refs: #32296 Reviewed-By: Bradley Farias <bradley.meck@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Node.js 10.20.0, 12.16.2 and 13.12.0 were all updated to use npm 6.14.4. |
Is your feature request related to a problem? Please describe.
The package mkdir 0.5.1 contains a dependency to minimist 0.0.8, which has the CVE-2020-7598, scored 9.8
Describe the solution you'd like
Remove the package mkdirp or find a maintained alternative.
Others
The text was updated successfully, but these errors were encountered: