Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Could you help remove the high severity vulnerability introduced by package trim-newlines?
See original GitHub issueHi, @sindresorhus @LitoMore, there is a high severity vulnerability introduced in your package meow:
Issue Description
A vulnerability CVE-2021-33623 is detected in package trim-newlines(❤️.0.1,>=4.0.0 <4.0.1) and trim-newlines@1.0.0 is directly referenced by meow@3.7.0. We noticed that such a vulnerability has been removed since meow@6.0.0.
However, meow’s popular previous version meow@3.7.0 (6,322,587 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 33,521 downstream projects, e.g., imagemin-pngquant 9.0.2, mozjpeg 7.1.0, gifsicle 5.2.0, image-webpack-loader 7.0.1, bugsnag-sourcemaps 1.3.0, @exmg/exmg-dialogs 6.0.4, etc.). As such, issue CVE-2021-33623 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade meow from version 3.7.0 to (>=6.0.0). For instance, meow@3.7.0 is introduced into the above projects via the following package dependency paths:
(1)@exmg/exmg-dialogs@6.0.4 ➔ web-component-tester@6.9.2 ➔ polyserve@0.27.15 ➔ polymer-build@3.1.4 ➔ sw-precache@5.2.1 ➔ meow@3.7.0 ➔ trim-newlines@1.0.0
…
The projects such as sw-precache, which introduced meow@3.7.0, are not maintained anymore. These unmaintained packages can neither upgrade meow nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package meow@3.7.0?
Suggested Solution
Since these inactive projects set a version constaint 3.7.* for meow on the above vulnerable dependency paths, if meow removes the vulnerability from 3.7.0 and releases a new patched version meow@3.7.1, such a vulnerability patch can be automatically propagated into the 33,521 affected downstream projects.
In meow@3.7.1, you can kindly try to perform the following upgrade:
trim-newlines ^1.0.0 ➔ ^3.0.1;
Note:
trim-newlines@3.0.1(>=3.0.1 <4.0.0, >=4.0.1) has fixed the vulnerability (CVE-2021-33623)
Thank you for your contributions.
Best regards, Paimon
Issue Analytics
- State:
- Created 2 years ago
- Reactions:11
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
No.
FYI: https://overreacted.io/npm-audit-broken-by-design/
You are requesting an update to a six years old version of this module?
In comparison: Node.js LTS releases are only supported for three years.
All in all:
Any project using a
3.xversion ofmeowmust be extremely outdated (meow@4.0.0was released almost four years ago) and should generally be avoided.Remember:
npm auditwon’t tell you if a module is safe to use, it will only tell you if it knows that it may be unsafe to use.Using any six years old module that’s six major versions behind the latest version should be very avoided and not be considered safe practice.
Hence patching that old version would serve nothing else than creating a false sense of security.