Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
Security vulnerability at js-yaml
See original GitHub issue@commitlint/load uses a vulnerable version of cosmicconfig (which uses a vulnerable version of js-yml), see https://nodesecurity.io/advisories/788 for more details on the security issue.
js-yml 3.13.0 is patched, but cosmicconfig has yet to update its version.
yarn audit output:
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β moderate β Denial of Service β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β js-yaml β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=3.13.0 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β commitlint β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β commitlint > @commitlint/cli > @commitlint/load > β
β β cosmiconfig > js-yaml β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/788 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Expected Behavior
Use a patched version of cosmicconfig when itβs available, see this issue & pr
Current Behavior
Uses a vulnerable version of cosmiconfig.
Affected packages
- cli (load)
- core
- prompt
- config-angular
Possible Solution
- Update
cosmiconfig
Issue Analytics
- State:
- Created 4 years ago
- Reactions:2
- Comments:6 (3 by maintainers)
Top Results From Across the Web
js-yaml - Snyk Vulnerability Database
version published direct vulnerabilities
4.1.0 14 Apr, 2021 0. C. 0. H. 0. M. 0. L
4.0.0 3 Jan, 2021 0. C. 0. H. 0....
Read more >Js-yaml Project Js-yaml : List of security vulnerabilities
Security vulnerabilities of Js-yaml Project Js-yaml : List of all related CVE security vulnerabilities. CVSS Scores, vulnerability details and links to fullΒ ...
Read more >Security vulnerability (High Severity) in js-yaml dependency
As an update, npm audit now yields a high severity error (code injection) on the same dependency. For reference, this is on node...
Read more >Code Execution via YAML in JS-YAML Node.js Module
The JS-YAML module for Node.js contained a code execution vulnerability prior to version 2.0.5. The maintainers of JS-YAML have patched this vulnerability and,Β ......
Read more >Arbitrary Code Execution Vulnerability in the js-yaml library (+ ...
js-yaml is vulnerable to arbitrary code execution. The vulnerability exists through the usage of unsafe `load()` function, which allows attackers to injectΒ ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Fixed in the meantime
Thx @pyrho!
Weβre watching the related issue of cosmiconfig and will update as soon as itβs available.