Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm-run-all is reported as having a moderate severity vulnerabilty #257

Open
mind-bending-forks opened this issue Jun 23, 2023 · 4 comments · May be fixed by #258
Open

npm-run-all is reported as having a moderate severity vulnerabilty #257

mind-bending-forks opened this issue Jun 23, 2023 · 4 comments · May be fixed by #258

Comments

@mind-bending-forks
Copy link

As of today (23 June 2023), running npm audit on a project that uses npm-run-all results in the following audit report:

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install npm-run-all@4.1.2, which is a breaking change
node_modules/semver
  cross-spawn  6.0.0 - 6.0.5
  Depends on vulnerable versions of semver
  node_modules/cross-spawn
    npm-run-all  >=1.8.0
    Depends on vulnerable versions of cross-spawn
    Depends on vulnerable versions of read-pkg
    node_modules/npm-run-all
  normalize-package-data  <=2.5.0
  Depends on vulnerable versions of semver
  node_modules/normalize-package-data
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/read-pkg

The vulnerability is arising from npm-run-all's dependency on the semver package, which is reported as being vulnerable to Regular Expression Denial of Service: GHSA-c2qf-rxjj-qqgw

Trying npm audit fix --force does not work, at least not for me.

A fix for semver is available: https://github.com/npm/node-semver/releases/tag/v7.5.3

Please update npm-run-all's dependency tree to address this vulnerability.
@paulcdejean paulcdejean linked a pull request Jun 25, 2023 that will close this issue
Open
@jamesst20
Copy link

You may want to check https://github.com/bcomnes/npm-run-all2 which is a newer, up to date fork.

@langthiennhai
Copy link

You may want to check https://github.com/bcomnes/npm-run-all2 which is a newer, up to date fork.

npm-run-all2 also gives the same error npm-run-all

@jamesst20
Copy link

You may want to check https://github.com/bcomnes/npm-run-all2 which is a newer, up to date fork.

npm-run-all2 also gives the same error npm-run-all

Install only one at the time. Install npm-run-all2 and run the command without the number 2

@langthiennhai
Copy link

You may want to check https://github.com/bcomnes/npm-run-all2 which is a newer, up to date fork.

npm-run-all2 also gives the same error npm-run-all

Install only one at the time. Install npm-run-all2 and run the command without the number 2

run npm-run-all2 with no errors. But there is an audit error

npm audit report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/eslint-plugin-import/node_modules/semver
node_modules/semver
eslint-plugin-import >=2.27.4
Depends on vulnerable versions of semver
node_modules/eslint-plugin-import
normalize-package-data <=2.5.0
Depends on vulnerable versions of semver
node_modules/normalize-package-data
read-pkg <=5.2.0
Depends on vulnerable versions of normalize-package-data
node_modules/read-pkg
npm-run-all2 *
Depends on vulnerable versions of read-pkg
node_modules/npm-run-all2

@tksst tksst mentioned this issue Jan 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix npm audit issues paulcdejean/npm-run-all
3 participants
@jamesst20 @langthiennhai @mind-bending-forks