Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update package-json to >=8.0.0 for vulnerability in got >= 12.0.0, < 12.1.0, < 11.8.5 #2028

Closed
imutkarshpatil opened this issue Jun 23, 2022 · 10 comments · Fixed by #2033
Closed
Labels

Comments

@imutkarshpatil
Copy link

Environment

  • nodemon -v: 2.0.15
  • node -v: v14.18.1
  • Operating system/terminal environment: macOS 12.5

Issue

nodemon@2.0.15 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0

Possible fix

  • Upgrade dependency version of package-json to >=8.0.0 as it points to fixed dependency for got >12.1.0
@gaborszita
Copy link
Contributor

Duplicate of: #2023

@remy
Copy link
Owner

remy commented Jun 23, 2022

Releasing now.

@remy remy closed this as completed Jun 23, 2022
@kevinswarner
Copy link

I am not sure this was resolved. When I install the latest nodemon, and then run an audit, I get the following results...


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Got allows a redirect to a UNIX socket                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ got                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=11.8.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > update-notifier > latest-version > package-json >  │
│               │ got                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-pfrx-2q88-qq97            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 1474 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Perhaps I did not update nodemon correctly?

Thanks!

@gaborszita
Copy link
Contributor

@kevinswarner Can you show me your package.json and package-lock.json files? I can setup a project with these files on my computer and check if I get the same error.

@remy
Copy link
Owner

remy commented Jun 23, 2022

Had to revert, it borked people's install.

@kevinswarner
Copy link

Here are my deps and dev deps. I deleted my lock file and reinstalled, but got the same result.

"dependencies": {
    "@aws-sdk/client-dynamodb": "^3.21.0",
    "@aws-sdk/client-s3": "^3.23.0",
    "@aws-sdk/lib-storage": "^3.32.0",
    "@aws-sdk/s3-request-presigner": "^3.81.0",
    "@aws-sdk/util-dynamodb": "^3.21.0",
    "@digital-u/digital-university-models": "0.2.29",
    "@digital-u/digital-university-vendors": "^1.4.2",
    "@sendgrid/mail": "^7.4.2",
    "apollo-server": "^3.5.0",
    "apollo-server-core": "^3.3.0",
    "apollo-server-express": "^3.3.0",
    "bluebird": "^3.7.2",
    "bunyan": "^1.8.15",
    "cheerio": "^1.0.0-rc.10",
    "dayjs": "^1.11.0",
    "dotenv": "^8.2.0",
    "express": "^4.17.1",
    "graphql": "^15.5.3",
    "graphql-scalars": "^1.10.1",
    "graphql-type-json": "^0.3.2",
    "graphql-upload": "^15.0.1",
    "jsdom": "^16.4.0",
    "json-rules-engine": "^6.0.1",
    "json2csv": "^5.0.7",
    "jsonwebtoken": "^8.5.1",
    "keycloak-admin": "^1.14.4",
    "lodash": "^4.17.15",
    "mime-types": "^2.1.27",
    "nodemailer": "^6.7.1",
    "openid-client": "^4.2.2",
    "request": "2.88.2",
    "string-hash": "^1.1.3",
    "uuid": "^8.3.1"
  },
  "devDependencies": {
    "@babel/cli": "^7.15.7",
    "@babel/core": "^7.11.6",
    "@babel/node": "^7.10.5",
    "@babel/preset-env": "^7.11.5",
    "@digital-u/digital-university-wait": "^0.2.1",
    "@types/graphql-upload": "^8.0.11",
    "jest": "^27.5.1",
    "nodemon": "^2.0.18",
    "supertest": "^4.0.2",
    "xo": "^0.45.0"
  }

@gaborszita
Copy link
Contributor

Had to revert, it borked people's install.

Okay, so we now have v2.0.17 that uses the new update-notifier, but v2.0.18 reverted this change, because v2.0.17 broke people's install. But that means v2.0.18 still has the vulnerability. So... how is this going to be fixed?

@gaborszita
Copy link
Contributor

Here are my deps and dev deps. I deleted my lock file and reinstalled, but got the same result.

"dependencies": {
    "@aws-sdk/client-dynamodb": "^3.21.0",
    "@aws-sdk/client-s3": "^3.23.0",
    "@aws-sdk/lib-storage": "^3.32.0",
    "@aws-sdk/s3-request-presigner": "^3.81.0",
    "@aws-sdk/util-dynamodb": "^3.21.0",
    "@digital-u/digital-university-models": "0.2.29",
    "@digital-u/digital-university-vendors": "^1.4.2",
    "@sendgrid/mail": "^7.4.2",
    "apollo-server": "^3.5.0",
    "apollo-server-core": "^3.3.0",
    "apollo-server-express": "^3.3.0",
    "bluebird": "^3.7.2",
    "bunyan": "^1.8.15",
    "cheerio": "^1.0.0-rc.10",
    "dayjs": "^1.11.0",
    "dotenv": "^8.2.0",
    "express": "^4.17.1",
    "graphql": "^15.5.3",
    "graphql-scalars": "^1.10.1",
    "graphql-type-json": "^0.3.2",
    "graphql-upload": "^15.0.1",
    "jsdom": "^16.4.0",
    "json-rules-engine": "^6.0.1",
    "json2csv": "^5.0.7",
    "jsonwebtoken": "^8.5.1",
    "keycloak-admin": "^1.14.4",
    "lodash": "^4.17.15",
    "mime-types": "^2.1.27",
    "nodemailer": "^6.7.1",
    "openid-client": "^4.2.2",
    "request": "2.88.2",
    "string-hash": "^1.1.3",
    "uuid": "^8.3.1"
  },
  "devDependencies": {
    "@babel/cli": "^7.15.7",
    "@babel/core": "^7.11.6",
    "@babel/node": "^7.10.5",
    "@babel/preset-env": "^7.11.5",
    "@digital-u/digital-university-wait": "^0.2.1",
    "@types/graphql-upload": "^8.0.11",
    "jest": "^27.5.1",
    "nodemon": "^2.0.18",
    "supertest": "^4.0.2",
    "xo": "^0.45.0"
  }

You need to use v2.0.17, read my last comment. It seems there are some issues with bumping update-notifier to the new version, so let's just wait for a fix.

@gaborszita
Copy link
Contributor

By reading issue #2031 we can see that due to issues with update-notifier the project owner plans to drop this dependency entirely in the next release. So, hopefully, this will get fixed in the next release. Until then, I recommend using v2.0.17 if it doesn't break your install, and otherwise use v2.0.18 or v2.0.16.

remy pushed a commit that referenced this issue Jul 5, 2022
Closes #1961
Closes #2028

- Fixes security issue with got (CVE-2022-33987)
- Replace update-notifier with simple-update-notifier which does the same thing but has one dependency (semver) rather than several
- Same caching settings as update-notifier

Congratulations and thanks to @alexbrazier 👏 🥇 ❤️
@github-actions
Copy link

github-actions bot commented Jul 5, 2022

🎉 This issue has been resolved in version 2.0.19 🎉

The release is available on:

Your semantic-release bot 📦🚀

slifty added a commit to PermanentOrg/sftp-service that referenced this issue Jul 14, 2022
Dependabot flagged a security issue with one of nodemon's dependencies.

That issue is resolved in 2.0.19 as discussed in the nodemon repo[1].

[1] remy/nodemon#2028
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants