Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-982793 SNOW-993512: SNYK-JS-INFLIGHT-6095116: High Vulnerability via glob -> inflight #720

Closed
junaid-ali opened this issue Dec 1, 2023 · 10 comments
Closed

SNOW-982793 SNOW-993512: SNYK-JS-INFLIGHT-6095116: High Vulnerability via glob -> inflight #720

junaid-ali opened this issue Dec 1, 2023 · 10 comments
Assignees
@sfc-gh-triage-snowpark-ecosystem-dl
Labels
security vulnerability Security vulnerability detected by WhiteSource

Comments

@junaid-ali
Copy link

junaid-ali commented Dec 1, 2023
edited
Loading

https://github.com/snowflakedb/snowflake-connector-nodejs/blob/master/package.json#L25

https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

fix is to upgrade glob version to v9+ which no longer depends on the vulnerable package: isaacs/inflight-DEPRECATED-DO-NOT-USE#5 (comment)
@junaid-ali junaid-ali added the bug Something isn't working label Dec 1, 2023
@github-actions github-actions bot changed the title SNYK-JS-INFLIGHT-6095116: High Vulnerability via glob -> inflight SNOW-982793: SNYK-JS-INFLIGHT-6095116: High Vulnerability via glob -> inflight Dec 1, 2023
@sfc-gh-dszmolka
Copy link
Collaborator

thank you for raising this issue - already in progress under #714

@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Dec 1, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka added security vulnerability Security vulnerability detected by WhiteSource status-pr_pending_merge A PR is made and is under review and removed bug Something isn't working labels Dec 1, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka added status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. and removed status-pr_pending_merge A PR is made and is under review labels Dec 5, 2023
@sfc-gh-dszmolka
Copy link
Collaborator

PR is merged and will be part of the next release, expected by latest next week

@sfc-gh-dszmolka
Copy link
Collaborator

released with 1.9.2, closing

@sfc-gh-dszmolka
Copy link
Collaborator

reopening because it looks like its not that easy to get rid of inflight. still with us, due to a transitive dependency .

root@ef641033e6e3:/node# npm why glob
[email protected] # <-- this is the fixed version
node_modules/glob
  glob@"^9.0.0" from [email protected]
  node_modules/snowflake-sdk
    snowflake-sdk@"^1.9.2" from the root project

[email protected] # <-- sadly this one still has `inflight`
node_modules/rimraf/node_modules/glob
  glob@"^7.1.3" from [email protected]
  node_modules/rimraf
    rimraf@"^3.0.0" from [email protected]
    node_modules/tmp
      tmp@"^0.2.1" from [email protected]
      node_modules/snowflake-sdk
        snowflake-sdk@"^1.9.2" from the root project

root@ef641033e6e3:/node# npm why inflight
[email protected]
node_modules/inflight
  inflight@"^1.0.4" from [email protected]
  node_modules/rimraf/node_modules/glob
    glob@"^7.1.3" from [email protected]
    node_modules/rimraf
      rimraf@"^3.0.0" from [email protected]
      node_modules/tmp
        tmp@"^0.2.1" from [email protected]
        node_modules/snowflake-sdk
          snowflake-sdk@"^1.9.2" from the root project

@sfc-gh-dszmolka sfc-gh-dszmolka added status-in_progress Issue is worked on by the driver team and removed status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. labels Dec 18, 2023
@sfc-gh-dszmolka sfc-gh-dszmolka changed the title SNOW-982793: SNYK-JS-INFLIGHT-6095116: High Vulnerability via glob -> inflight SNOW-982793 SNOW-993512: SNYK-JS-INFLIGHT-6095116: High Vulnerability via glob -> inflight Dec 18, 2023
@junaid-ali
Copy link
Author

seems like rimraf should be upgraded to atleast v4.2.0?

@junaid-ali
Copy link
Author

https://github.com/isaacs/rimraf/blob/v4.2.0/CHANGELOG.md#v42

@sfc-gh-dszmolka
Copy link
Collaborator

indeed there are multiple options (override dependency, replace tmp, etc.), the team will look into how to proceed best and i'll keep this thread posted

@sfc-gh-dszmolka
Copy link
Collaborator

fix in progress under #742 (removing tmp -> glob v7 -> inflight)

@sfc-gh-dszmolka sfc-gh-dszmolka added status-pr_pending_merge A PR is made and is under review and removed status-in_progress Issue is worked on by the driver team labels Dec 29, 2023
@sfc-gh-dszmolka
Copy link
Collaborator

PR merged and now inflight is gone with removing dependency on tmp

# npm i [email protected]
..
# npm why inflight
[email protected]
node_modules/inflight
  inflight@"^1.0.4" from [email protected]
  node_modules/rimraf/node_modules/glob
    glob@"^7.1.3" from [email protected]
    node_modules/rimraf
      rimraf@"^3.0.0" from [email protected]
      node_modules/tmp
        tmp@"^0.2.1" from [email protected]
        node_modules/snowflake-sdk
          snowflake-sdk@"^1.9.2" from the root project 

# install latest from main
# npm i https://github.com/snowflakedb/snowflake-connector-nodejs.git
..
# npm why inflight
npm ERR! No dependencies found matching inflight

will be part of the next (January) release, expected within 2 weeks

@sfc-gh-dszmolka sfc-gh-dszmolka added status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. and removed status-pr_pending_merge A PR is made and is under review labels Jan 5, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka removed the status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. label Jan 18, 2024
@sfc-gh-dszmolka
Copy link
Collaborator

released with snowflake-sdk 1.9.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-triage-snowpark-ecosystem-dl sfc-gh-triage-snowpark-ecosystem-dl

Labels
security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@junaid-ali @sfc-gh-dszmolka @sfc-gh-triage-snowpark-ecosystem-dl