Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CVE-2022-2900
See original GitHub issueDescribe the bug
Dependency parse-url prior to 8.1.0 suffers from CVE-2022-2900.
Expectation
git-url-parse as dependency of @lerna-lite/core should be upgraded to v13, hence parse-url ^8.1.0.
Reproduction
Lerna config and logs
lerna.json
<!-- Please paste your `lerna.json` here -->
lerna-debug.log
<!-- If you have a `lerna-debug.log` available, please paste it here -->
<!-- Otherwise, feel free to delete this <details> block -->
Environment Info
Environment info:
System:
OS: macOS 12.6
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Binaries:
Node: 14.17.5 - ~/.volta/tools/image/node/14.17.5/bin/node
Yarn: 1.22.19 - ~/.volta/tools/image/yarn/1.22.19/bin/yarn
npm: 6.14.14 - ~/.volta/tools/image/node/14.17.5/bin/npm
Utilities:
Git: 2.37.0 - /usr/bin/git
### Used Package Manager
pnpm
### Validations
- [X] Follow our [Code of Conduct](https://github.com/ghiscoding/lerna-lite/blob/master/.github/CODE_OF_CONDUCT.md)
- [X] Read the [docs](https://github.com/ghiscoding/lerna-lite#readme).
- [X] Check that there isn't [already an issue](https://github.com/ghiscoding/lerna-lite/issues) that reports the same bug to avoid creating a duplicate.
- [X] Check that this is a concrete bug. For Q&A open a [GitHub Discussion](https://github.com/ghiscoding/lerna-lite/discussions).
- [X] The provided reproduction is a [minimal reproducible example](https://stackoverflow.com/help/minimal-reproducible-example) of the bug.Issue Analytics
- State:
- Created a year ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
CVE-2022-2900 Detail - NVD
CVE-2022-2900 Detail. Description. Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.
Read more >CVE-2022-2900
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Read more >CVE-2022-2900
CVE-2022-2900 is a disclosure identifier tied to a security vulnerability with the following details. Server-Side Request Forgery (SSRF) in ...
Read more >CVE-2022-2900 | Tenable®
Description. Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.
Read more >CVE-2022-2900 | Vulnerability Database | Aqua Security
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I have Renovate installed and it runs once a week, this dependency you’re talking about was already updated in PRs #341, #331 and #312 and I pushed a patch release last night (see v1.11.3), so you should just have to update
@ghiscoding Our corporate security scanner detected this vulnerability – not sure what they use there under the hood hahah 😛