-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-45853 (zlib) found on main #161
Comments
I'm fairly certain that Node.js is not using/exposing minizip -- there are no references to minizip in deps/zlib/zlib.gyp. We don't provide zip support in Node.js (although it has been requested (nodejs/node#45434)). In any case we're using the chromium fork of zlib, updated weekly (every Sunday with commits that were made up to the prior Friday): tools/dep_updaters/update-zlib.sh |
@richardlau: Can you look for zlib 1.3.0 (2023-08-18): |
🤷. Node.js has two copies of the chromium fork of zlib (see nodejs/node#33848 and nodejs/node#47493). Porting patches across from non-forked zlib is going to be problematic as we have weekly automation running, that syncs from the chromium zlib fork every week, which would overwrite any patches we make. Node.js used to use zlib from https://github.com/madler/zlib/ but it was switched out for the chromium fork for performance reasons: nodejs/node#31201 You can see the current chromium fork of zlib: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/third_party/zlib/ |
A new vulnerability for zlib 1.2.13.1-motley was found:
Vulnerability ID: CVE-2023-45853
Vulnerability URL: https://nvd.nist.gov/vuln/detail/CVE-2023-45853
Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/6581614069
The text was updated successfully, but these errors were encountered: