Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

transitively pinned minimatch 3.0.4 dependency is causing rush audit to fail. #4524

Closed
MichaelBelousov opened this issue Oct 20, 2022 · 5 comments · Fixed by #4537
Closed

transitively pinned minimatch 3.0.4 dependency is causing rush audit to fail. #4524

MichaelBelousov opened this issue Oct 20, 2022 · 5 comments · Fixed by #4537
Assignees
@aruniverse @mattbjordan @evelynpreslar-bentley
Labels
good first issue Good for newcomers

Comments

@MichaelBelousov
Copy link
Contributor

Describe the bug

Our transitive dependencies now include minimatch@3.0.4 which has a ReDos vulnerability
GHSA-f8q6-p94x-37v3

To Reproduce

run rush audit in master. You'll fail on this:
GHSA-f8q6-p94x-37v3

Expected behavior

No failure

Additional context

we could use pnpm.overrides but we'd have to upgrade our rush version and downstream consumers of our build tools will still have to manually fix.
@MichaelBelousov MichaelBelousov mentioned this issue Oct 20, 2022
Merged
@pmconne pmconne mentioned this issue Oct 21, 2022
Merged
@MichaelBelousov
Copy link
Contributor Author

the transitive dep pinning this recursive-readdir has gone 5 years without a publish and apparently had this minimatch vulnerability listed as an issue since march:
https://github.com/jergason/recursive-readdir/issues

so I'm not sure how long or if they will provide an update. @aruniverse you expressed being concerned that our build-tool consumers would need any override we ourselves add to our package manager.

jergason/recursive-readdir#85

does not seem to be any contributor response yet to this issue.

@MichaelBelousov
Copy link
Contributor Author

also as a note, this is a create-react-app transitive dependency because the dependency path goes through react-dev-tools

@aruniverse aruniverse added the good first issue Good for newcomers label Oct 21, 2022
@aruniverse
Copy link
Member

i didn't realize this was also a transitive dep coming from cra... thats going to be a pain.
for those that arent using cra, and using our build tools theyll still run into this issue.

@mattbjordan @evelynpreslar-bentley would be nice to refactor out the need for the recursive-readdir from itwin/build-tools if possible

@mattbjordan
Copy link
Contributor

@aruniverse How much of a hassle is it to fork or copy the recursive-readdir and upgrade the minimatch version ourselves? I suppose we want to keep this as a package for ease-of-use - so does that mean that this is the biggest hassle?

@aruniverse
Copy link
Member

I do not want to fork and continuously maintain them. the one fork we have now is already a pain

@raplemie raplemie mentioned this issue Oct 24, 2022
Merged
@mattbjordan mattbjordan mentioned this issue Oct 24, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aruniverse aruniverse

@mattbjordan mattbjordan

@evelynpreslar-bentley evelynpreslar-bentley

Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replace use of recursive-readdir package with local implementation iTwin/itwinjs-core
4 participants
@aruniverse @mattbjordan @MichaelBelousov @evelynpreslar-bentley