Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

source-map-resolve is deprecated and vulnerable #31

Open
elcreator opened this issue Nov 29, 2022 · 2 comments
Open

source-map-resolve is deprecated and vulnerable #31

elcreator opened this issue Nov 29, 2022 · 2 comments

Comments

@elcreator
Copy link

https://github.com/lydell/source-map-resolve is deprecated now and contains vulnerable decode-uri-component dependency GHSA-w573-4hg7-7wgq

@JESii
Copy link

JESii commented Nov 3, 2023

CVE-2022-38900: I created a PR for source-map-resolve to fix this security issue and and the maintainer refused to apply it:

But – anyway. I find it boring to use my free time to do things with this deprecated package that I don’t like. It might be easy to fix this thing, but in a couple of months there will be some other vulnerability in some other dependency and the cycle repeats. Or someone finds a vulnerability in source-map-resolve itself. Not fun.

So I have a replacement module that resolves the problem https://github.com/jesii/source-map-resolve. It updates decode-uri-component which is where the security issue, using v0.2.2 instead of the vulnerable v0.2.0.

@sebastien46
Copy link

So I have a replacement module that resolves the problem https://github.com/jesii/source-map-resolve. It updates decode-uri-component which is where the security issue, using v0.2.2 instead of the vulnerable v0.2.0.

@jonschlinkert could you consider implementing this, or even replace/remove source-map-resolve ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants