Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update decompress dependency to current (4.2.0 at time of writing) #7034

Closed
gallafent opened this issue Apr 8, 2019 · 1 comment · May be fixed by AlexanderOnischuk/jspaint#2, benmcnelly/CryptDefend#2, AlexanderOnischuk/jspaint#3, meatflavourdev/butter-desktop#6 or AlexanderOnischuk/jspaint#4
Closed

Update decompress dependency to current (4.2.0 at time of writing) #7034

gallafent opened this issue Apr 8, 2019 · 1 comment · May be fixed by AlexanderOnischuk/jspaint#2, benmcnelly/CryptDefend#2, AlexanderOnischuk/jspaint#3, meatflavourdev/butter-desktop#6 or AlexanderOnischuk/jspaint#4

Comments

@gallafent
Copy link

NWJS Version : 0.37.3
Operating System : Windows 10 Professional x64

Expected behavior

Nw.js and its dependencies should be free of known vulnerabilities at the time of release.

Actual behavior

Nw.js depends on an outdated version of decompress which has a dependency chain including a vulnerable version of braces:

$ npm audit
=== npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Low             Regular Expression Denial of Service

  Package         braces

  Patched in      >=2.3.1

  Dependency of   nw

  Path            nw > decompress > vinyl-fs > glob-stream > micromatch >
                  braces

  More info       https://nodesecurity.io/advisories/786

found 1 low severity vulnerability in 8255 scanned packages
  1 vulnerability requires manual review. See the full report for details.

How to reproduce

npm install --save-dev nw

  • installation is succesful but the summary output includes the line:
found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Full audit report as above. package-lock.json includes the section:

    "nw": {
      "version": "0.37.3",
      "resolved": "https://registry.npmjs.org/nw/-/nw-0.37.3.tgz",
      "integrity": "sha512-dUVBEOlFDGXM/m7H5zTL7+WskAB/gJTTo3bt6xC/zbfPxm2dPe65uGXt7+SSmw29MtS59q2CtqxKCWzWjYC4kw==",
      "requires": {
        "chalk": "~1.1.3",
        "decompress": "^3.0.0",
        "download": "^5.0.3",
        "file-exists": "^2.0.0",
        "merge": "^1.2.0",
        "multimeter": "^0.1.1",
        "rimraf": "^2.2.8",
        "semver": "^5.1.0",
        "yargs": "^3.2.1"
      }

Bumping the dependency of decompress to ^4.0.0 or later (^4.2.0 is current) would remove the dependency on vinyl-fs, which is the culprit which draws in the vulnerable version of braces. The changes from 3.0.0 to 4.2.0 in decompress do not look dramatic, so I hope this dependency update should be straightforward to achieve!
@rogerwang
Copy link
Member

Thanks for reporting. This is fixed in git and will be published soon.

This was referenced Apr 2, 2020
Open
Open
@snyk-bot snyk-bot mentioned this issue Sep 12, 2021
Open
@meatflavourdev meatflavourdev mentioned this issue May 13, 2022
Open
@AlexanderOnischuk AlexanderOnischuk mentioned this issue May 14, 2022
Open
@etorresglm etorresglm mentioned this issue May 14, 2022
Open
@VeracodeVince VeracodeVince mentioned this issue May 14, 2022
Open
@snyk-bot snyk-bot mentioned this issue Aug 4, 2022
Closed
@AlexanderOnischuk AlexanderOnischuk mentioned this issue Oct 5, 2022
Open
@VeracodeVince VeracodeVince mentioned this issue May 13, 2024
Open
@AlexanderOnischuk AlexanderOnischuk mentioned this issue May 13, 2024
Open
Open
@elvey elvey mentioned this issue May 14, 2024
Closed
@etorresglm etorresglm mentioned this issue May 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Snyk] Security upgrade nw from 0.27.4 to 0.37.4 AlexanderOnischuk/jspaint
[Snyk] Security upgrade nw from 0.12.3 to 0.37.4 benmcnelly/CryptDefend
[Snyk] Security upgrade nw from 0.27.4 to 0.37.4 AlexanderOnischuk/jspaint
[Snyk] Fix for 1 vulnerabilities meatflavourdev/butter-desktop
[Snyk] Security upgrade nw from 0.27.4 to 0.37.4 AlexanderOnischuk/jspaint
[Snyk] Security upgrade nw from 0.24.4 to 0.37.4 etorresglm/js-xlsx
[Snyk] Security upgrade nw from 0.24.4 to 0.37.4 VeracodeVince/sheetjs
[Snyk] Security upgrade nw from 0.27.4 to 0.37.4 AlexanderOnischuk/jspaint
[Snyk] Security upgrade nw from 0.24.4 to 0.37.4 VeracodeVince/sheetjs
[Snyk] Security upgrade nw from 0.27.4 to 0.37.4 AlexanderOnischuk/jspaint
2 participants
@rogerwang @gallafent