Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-45296 #225

Closed
curtdept opened this issue Sep 9, 2024 · 6 comments · Fixed by #226
Closed

CVE-2024-45296 #225

curtdept opened this issue Sep 9, 2024 · 6 comments · Fixed by #226

Comments

@curtdept
Copy link

curtdept commented Sep 9, 2024

Looks like nise is pulling in a vulnerable version of path-to-regexp

GHSA-9wv6-86v2-598j
@dzq-stars
Copy link

Any solutions?

@alexpech12
Copy link
Contributor

Latest release of path-to-regexp includes the pathToRegexp function again https://github.com/pillarjs/path-to-regexp/releases/tag/v8.1.0

Tests fail for me though...

@alexpech12
Copy link
Contributor

alexpech12 commented Sep 10, 2024
edited
Loading

#226

Still one failing test Tests are green

@alexpech12 alexpech12 mentioned this issue Sep 10, 2024
Merged
@fatso83
Copy link
Contributor

fatso83 commented Sep 10, 2024

Great, thanks for putting in the work, @alexpech12 !

@skazantsev
Copy link

@fatso83 would it be possible to backport the fix into v5.x.x so that versions 11.x - 17.x of sinon received this fix without a need to update to 18.x?

@fatso83
Copy link
Contributor

fatso83 commented Sep 10, 2024
edited
Loading

@skazantsev That would be possible, but it's not as easy as it sounds. Refer to this issue: googleapis/nodejs-bigquery-storage#475

Upgrading path-to-regexp to version 8 means requiring Node versions >= 16, which means we would break compatibility with our supported versions (at the point of release of those major versions).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update path-to-regexp to 8.1.0 (fix CVE-2024-45296) alexpech12/nise
5 participants
@fatso83 @skazantsev @curtdept @alexpech12 @dzq-stars