Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security updates in deps #32

Open
optiguy opened this issue Nov 7, 2023 · 1 comment
Open

Security updates in deps #32

optiguy opened this issue Nov 7, 2023 · 1 comment

Comments

@optiguy
Copy link

optiguy commented Nov 7, 2023

[email protected] has a couple of dependency updates, that should be updated due to a high risk, due to the version of d3-color and cli for this package. This is the result of running an audit on the package.

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ d3-color vulnerable to ReDoS                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ d3-color                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <3.1.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > [email protected] > [email protected] >          │
│                     │ [email protected] > [email protected] > [email protected] >    │
│                     │ [email protected]                                         │
│                     │                                                        │
│                     │ . > [email protected] > [email protected] >          │
│                     │ [email protected] > [email protected] > [email protected] >     │
│                     │ [email protected]                                         │
│                     │                                                        │
│                     │ . > [email protected] > [email protected] >          │
│                     │ [email protected] > [email protected] > [email protected] >     │
│                     │ [email protected] > [email protected]                  │
│                     │                                                        │
│                     │ ... Found 13 paths, run `pnpm why d3-color` for more   │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-36jr-mh4h-2g58      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Arbitrary File Write in cli                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ cli                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.0.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > [email protected] > [email protected] >           │
│                     │ [email protected] > [email protected]                     │
│                     │                                                        │
│                     │ . > [email protected] > [email protected] >          │
│                     │ [email protected] > [email protected] >        │
│                     │ [email protected]                                              │
│                     │                                                        │
│                     │ . > [email protected] > [email protected] >          │
│                     │ [email protected] > [email protected] >        │
│                     │ [email protected]                                              │
│                     │                                                        │
│                     │ ... Found 5 paths, run `pnpm why cli` for more         │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-6cpc-mj5c-m9rq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Node CLI Allows Arbitrary File Overwrite               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ cli                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.1.0 <=0.11.3                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.0.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > [email protected] > [email protected] >           │
│                     │ [email protected] > [email protected]                     │
│                     │                                                        │
│                     │ . > [email protected] > [email protected] >          │
│                     │ [email protected] > [email protected] >        │
│                     │ [email protected]                                              │
│                     │                                                        │
│                     │ . > [email protected] > [email protected] >          │
│                     │ [email protected] > [email protected] >        │
│                     │ [email protected]                                              │
│                     │                                                        │
│                     │ ... Found 5 paths, run `pnpm why cli` for more         │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3mrp-qhcj-mwv5      │
└─────────────────────┴────────────────────────────────────────────────────────┘
@khrome
Copy link
Owner

khrome commented Nov 7, 2023

Thanks for your report, these will be upgraded or removed in the coming 3.0 release.

Regarding the specifics of the report though: ascii art only uses d3-color in the d3 mode and uses a specific set of descriptions for color (RGB, hex or named values), so any vulnerability would come from generating unsanitized inputs in code (on a server). AKA allowing a user to upload source code and then processing that, since all non ANSI color handling is programmatic, which is, itself, highly questionable. I recommend not trying that in the first place, but will be updating to a version not vulnerable to ReDOS.

color-difference is on target to be removed (an inactive dep which is the culprit for the cli dep, even though that dep is not in the code path of anything executing in this lib).

Thanks again for the report, I'll leave it open until 3.0 drops.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@khrome @optiguy