Update git-url-parse to fix parse-url vulnerability
See original GitHub issueparse-url
is a dependency of git-up
which is a dependency of git-url-parse
which is a dependency of lerna. parse-url
has the following file protocol spoofing vulnerability: https://huntr.dev/bounties/52060edb-e426-431b-a0d0-e70407e44f18/.
parse-url has been updated to 8.0.0 to fix the vulnerability but introduces breaking changes. https://github.com/IonicaBizau/parse-url/releases git-up has been updated to 7.0.0 to include the parse-url changes. https://github.com/IonicaBizau/git-up/releases git-url-parse has been updated to 13.0.0 to include the parse-url changes. https://github.com/IonicaBizau/git-url-parse/releases
Please update to git-url-parse 13.0.0 or greater.
Steps to Reproduce
N/A
Environment
N/A
Issue Analytics
- State:
- Created a year ago
- Reactions:25
- Comments:8
Top Results From Across the Web
giturlparse - npm Package Health Analysis - Snyk
Ensure you're using the healthiest npm packages. Snyk scans all the packages in your projects for vulnerabilities and provides automated fix ...
Read more >Snyk vulnerability [SNYK-JS-PARSEURL-2936249] #12300
parse-url is an An advanced url parser supporting git urls too. Affected versions of this package ... Upgrade git-url-parse to 12.0.0 #12397.
Read more >git-url-parse - npm
A high level git url parser for common git providers.. Latest version: 13.1.0, last published: 3 months ago. Start using git-url-parse in ...
Read more >Compare Versions | lerna | npm - Open Source Insights
GHSA-pqw5-jmp5-px4vparse-url parses http URLs incorrectly, making it vulnerable to host name spoofing. remove. trim-newlines 1.0.0.
Read more >URL Parsing - npm - Socket.dev
parse a url with memoization. dougwilson. published 1.3.3 • 4 years ago. Supply Chain Security. 100. Quality. 89. Maintenance. 100. Vulnerabilities.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
It looks like this dependency is primarily used in the createRelease function to get the repo name & owner. The parse-url breaking changes appear to be primarily regarding the
resource
&host
properties.My guess is it’d be safe to use
overrides
for learn. Though I might specify that in the tree so it’s clear which dependency you’re providing an override for lerna to know to check when lerna does release an update.parse-url@8.1.0 is the version with the vulnerability patched, so what’s the issue?