Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is v6 vulnerable?/Can the fix be backported? #576

Closed
1 task done
Tracked by #581
loren138 opened this issue Jun 26, 2023 · 4 comments
Closed
1 task done
Tracked by #581

Is v6 vulnerable?/Can the fix be backported? #576

loren138 opened this issue Jun 26, 2023 · 4 comments
Labels
Bug thing that needs fixing Needs Triage needs an initial review

Comments

@loren138
Copy link

loren138 commented Jun 26, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

GitHub is flagging https://nvd.nist.gov/vuln/detail/CVE-2022-25883 on libraries such as babel that use semver v6
These libraries cannot upgrade to v7 (see babel/babel#15720 (comment)) and as best I can tell semver v6 does not have the new Range function in question

Expected Behavior

If v6 is vulnerable, could the fix be backported?
If not, can v6 be excluded from the security advisory. (Many of us work at companies where leadership expects there to be no open security advisories on our dependencies, so it's nicer if we can close them vs having to explain that we don't use user input in that case and it's not a problem.)

Steps To Reproduce

Use babel, check github security advisories

Environment

No response

@loren138 loren138 added Bug thing that needs fixing Needs Triage needs an initial review labels Jun 26, 2023
@wraithgar
Copy link
Member

Yes v6 is affected. The issue is in the range constructor itself, the advisory is incomplete.

Please see the discussion in #564. It is not currently planned given the age, and state of the CI and testing, and lack of release process in those old versions. semver@7 was published in 2019, and the breaking changes were a code refactor, dropping old node versions, and using const/let/arrow functions.

@ljharb
Copy link
Contributor

ljharb commented Jun 26, 2023

@wraithgar i'm very interested in having the backport (since i'm permanently stuck on v6 on most projects due to the dropped node versions), i'd be more than happy to pull all the CI stuff onto a branch off of v6, and make a PR, if that's something you'd be willing to merge?

@wraithgar
Copy link
Member

You can try but iirc the CI "stuff" isn't currently set up to handle back-ported publishes. It's not something we've tackled yet, nor put any priority into.

@loren138
Copy link
Author

Thanks for the link to discussion about this. I missed that PR.

Re others backporting: on the linked PR, it looks like microsoft has already backported the fix to v5 and offered to backport it to v6 because those versions are used within VSCode: #564 (comment)
So I'm not sure if there is need for further work from the community, seems like it's up to the maintainer(s) at this point

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Needs Triage needs an initial review
Projects
None yet
Development

No branches or pull requests

3 participants