Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependencies to fix vulnerability #20

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

D-ske104
Copy link

@D-ske104 D-ske104 commented Sep 9, 2024

Update dependencies to fix vulnerability

Fix #19

  • run npm update
  • update ws
  • update express
  • update webpack

No breaking changes.

package before after release note
ws 8.5.0 8.18.0 https://github.com/websockets/ws/releases
express 4.17.3 4.21.1 https://github.com/expressjs/express/releases
webpack 5.89.0 5.94.0 https://github.com/webpack/webpack/releases

run `npm update`

update ws

update express

update webpack
npm audit report

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/body-parser
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/cookie

path-to-regexp  <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/path-to-regexp

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static

6 vulnerabilities (1 low, 2 moderate, 3 high)
@D-ske104
Copy link
Author

Hi @cola119,

Thank you for your fantastic work on this package!

I've fixed the vulnerability reported in #19 . When you have a moment, could you please review my Pull Request?

No rush at all—whenever you have time.

Thanks again!

@odanado
Copy link
Member

odanado commented Oct 15, 2024

@D-ske104
Thank you for your pull request. Please wait a moment while we check the difference.

@odanado
Copy link
Member

odanado commented Oct 15, 2024

There is an error with GitHub Actions.

Error: ../../node_modules/@types/node/stream/web.d.ts(469,56): error TS1005: '?' expected.
npm error Lifecycle script `build` failed with error:
npm error code 2
npm error path /home/runner/work/liff-inspector/liff-inspector/packages/headless-inspector-core
npm error workspace @line/headless-inspector-core@1.0.2
npm error location /home/runner/work/liff-inspector/liff-inspector/packages/headless-inspector-core
npm error command failed
npm error command sh -c tsc

It is likely that you will also need to update the TypeScript version. Could you check this?

@odanado odanado self-requested a review October 16, 2024 04:39
@odanado odanado added the status: in progress In Progress label Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ws package affected by a DoS when handling a request with many HTTP headers
2 participants