Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npm audit finding severity "high" pac-resolver -> 5.0.0 #691

Closed
sjkummer opened this issue Sep 27, 2021 · 3 comments
Closed

Npm audit finding severity "high" pac-resolver -> 5.0.0 #691

sjkummer opened this issue Sep 27, 2021 · 3 comments

Comments

@sjkummer
Copy link

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ pac-resolver                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @nestjs-modules/mailer                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @nestjs-modules/mailer > inline-css > extract-css >          │
│               │ href-content > remote-content > superagent-proxy >           │
│               │ proxy-agent > pac-proxy-agent > pac-resolver                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1784                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@ArielPrevu3D
Copy link

ArielPrevu3D commented Sep 27, 2021

It looks like the inline-css and extract-css do not have a fix for this. The closest dependency to pac-resolver in the chain that provides a fix is superagent-proxy@3.0.0.

https://nvd.nist.gov/vuln/detail/CVE-2021-23406

It seems like forcing degenerator@3.0.1 using npm-force-resolutions is a viable workaround.

EDIT: nevermind, only vulnerable versions of degenerator seem to be compatible with nest mailer

@alumni
Copy link

alumni commented Oct 13, 2021

Besides pac-resolver and degenerator, inline-css brings 2 other packages with security issues: css-what and nth-check.

See:

@holm
Copy link

holm commented Nov 10, 2021

Perhaps a better strategy would be to have inline-css as an optional dependency? It also seems to bring with it an incredibly amount of dependencies, which would be nice to avoid if you don't want to use that feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants