Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please backport CVE-2020-8116 security fix to 4.x. #63

Closed
davehensley opened this issue Aug 12, 2020 · 9 comments
Closed

Please backport CVE-2020-8116 security fix to 4.x. #63

davehensley opened this issue Aug 12, 2020 · 9 comments

Comments

@davehensley
Copy link

Based on the severity of CVE-2020-8116 and the fact that 4.x is still very commonly used as a dependency, I would like to kindly request for the fix to be backported to 4.x and released as (presumably) v4.2.1.

Would this be possible? Many thanks in advance.

@samstash
Copy link

samstash commented Aug 12, 2020

+1

Please consider reopening #61 . The v4 release line may be old but it's still used by many packages and is installed millions of times each week.

As a CVSS-high-severity vulnerability, we have had no option but to manually resolve to v5, introducing breaking changes to dozens of projects.

@Trott
Copy link

Trott commented Aug 12, 2020

I was trying to open a pull request for v4.2.0...Trott:sec-fix and came across this. I know it's an annoyance and that Node.js 6 and 8 are end-of-life, but that means users of upstream dependencies like serverless have to wait for a breaking change to get the security fix--even if they are running the latest Node.js and have been security-conscious otherwise. And then they have to endure the anxiety of a major release upgrade instead of a security patch. And it's not the user's fault. They've been staying up-to-date, etc.

I totally get the argument for not patching old release lines generally, and you certainly don't owe it to anyone, but if you can be persuaded to release a 4.2.1 in this particular instance, I think it would be a good thing.

And if not, hey, thanks for reading anyway.

@ruyadorno
Copy link

we're going to have to patch this for npm@6 so I'm proposing the idea of maintaining a legacy fork in order to be able to fix vulns warnings such as this for legacy release lines, it might be an ephemeral fork though it should stay around (in terms of receiving active maintenance) for as long as npm@6 is still around 😊 To get it:

npm install dot-prop@npm:dot-prop-legacy@latest


@sindresorhus I'd much prefer consolidating maintenance so let me know if you're open to have folks publish these versions over here in dot-prop itself instead of a fork 😄 but it's fine otherwise.

@davehensley
Copy link
Author

Thank you @ruyadorno for creating the legacy fork! It seems to already be very popular (52,171 downloads in less than 2 days).

@sindresorhus
Copy link
Owner

Sure. I didn't anticipate how many problems this would cause. I've published https://github.com/sindresorhus/dot-prop/tree/v4 as 4.2.1 (on the legacy dist tag).

@ruyadorno
Copy link

That's awesome! ❤️ Thanks Sindre!

@ruyadorno
Copy link

@sindresorhus I noticed the tag hasn't been pushed to the repo, maybe you want to push that in the future, just in case

@dominopetter
Copy link

Awesome!!! Big Thank You!

@sindresorhus
Copy link
Owner

I noticed the tag hasn't been pushed to the repo, maybe you want to push that in the future, just in case

Done: https://github.com/sindresorhus/dot-prop/releases/tag/v4.2.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants