-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace undici with native https.request #26
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you check until which version it will work?
46db233
to
022a155
Compare
022a155
to
ed9b719
Compare
From docs:
|
I'm going to publish a |
Available at |
Validations. v8.17.0$ npx is-my-node-vulnerable@1.6.1-canary
...
npx: installed 57 in 6.054s
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v8.17.0 is end-of-life. There are high chances of being vulnerable. Please upgrade it. v10.24.1$ npx is-my-node-vulnerable@1.6.1-canary
npx: installed 57 in 2.901s
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v10.24.1 is end-of-life. There are high chances of being vulnerable. Please upgrade it. v12.22.12$ npx is-my-node-vulnerable@1.6.1-canary
npx: installed 57 in 2.669s
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v12.22.12 is end-of-life. There are high chances of being vulnerable. Please upgrade it. v14.21.3$ npx is-my-node-vulnerable@1.6.1-canary
npx: installed 57 in 3.499s
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v14.21.3 is end-of-life. There are high chances of being vulnerable. Please upgrade it. v16.20.2$ npx is-my-node-vulnerable@1.6.1-canary
Need to install the following packages:
is-my-node-vulnerable@1.6.1-canary
Ok to proceed? (y) y
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v16.20.2 is end-of-life. There are high chances of being vulnerable. Please upgrade it. v18.17.0$ npx is-my-node-vulnerable@1.6.1-canary
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
The current Node.js version (v18.17.0) is vulnerable to the following CVEs:
CVE-2023-32002: The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
Patched versions: ^16.20.2 || ^18.17.1 || ^20.5.1
=
CVE-2023-32006: The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
Patched versions: ^16.20.2 || ^18.17.1 || ^20.5.1
=
CVE-2023-32559: The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file.
Patched versions: ^16.20.2 || ^18.17.1 || ^20.5.1
=
CVE-2023-45143(low): Cookie headers are not cleared in cross-domain redirect in undici-fetch (High)
Patched versions: ^18.18.2 || ^20.8.1
=
CVE-2023-44487(high): Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound causes denial of service (High)
Patched versions: ^18.18.2 || ^20.8.1
=
CVE-2023-38552(medium): Integrity checks according to experimental policies can be circumvented (Medium)
Patched versions: ^18.18.2 || ^20.8.1
=
CVE-2023-39333(low): Code injection via WebAssembly export names (Low)
Patched versions: ^18.18.2 || ^20.8.1
=
CVE-2023-46809(medium): A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling.
Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2
=
CVE-2024-21892(high): Code injection and privilege escalation through Linux capabilities
Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2
=
CVE-2024-22019(high): A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS).
Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2
=
CVE-2024-22025: A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.
Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2
=
CVE-2024-27983(high): An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Patched versions: ^18.20.1 || ^20.12.1 || ^21.7.2
=
CVE-2024-27982(medium): The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
Patched versions: ^18.20.1 || ^20.12.1 || ^21.7.2
=
CVE-2024-22020(medium): A security flaw in Node.js allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.
Patched versions: ^18.20.4 || ^20.15.1 || ^22.4.1
= v18.20.4$ npx is-my-node-vulnerable@1.6.1-canary
█████ ██ ██ ██████ ██████ ██████ ██████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
███████ ██ ██ ██ ███ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ███████ ██████ ██████ ██████ ██████ ██ Not done for <v8.x as it fails because of some dependency failures from |
This was tested in Should we release |
No need. We can ship v1.6.1 with both PRs |
Refs: #20 (comment)