Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest version of cli is pulling in insecure packages that have available patches #11543

Open
4 tasks
G-Rath opened this issue May 4, 2024 · 0 comments
Open
4 tasks

Latest version of cli is pulling in insecure packages that have available patches #11543

G-Rath opened this issue May 4, 2024 · 0 comments

Comments

@G-Rath
Copy link

G-Rath commented May 4, 2024
edited

The latest version of the vercel cli is pulling in packages with known vulnerabilities that have available patches.

Current vulnerabilities:

While I don't believe any of these are exploitable in the context of this cli, they are a nuisance since non-breaking patches are available and security policies can make these expensive to ignore.

`npm audit` output as of 2024-05-05 
# npm audit report

debug  4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install vercel@32.3.0, which is a breaking change
node_modules/@vercel/fun/node_modules/debug
@vercel/fun  *
Depends on vulnerable versions of debug
Depends on vulnerable versions of semver
Depends on vulnerable versions of tar
node_modules/@vercel/fun
vercel  28.12.3 || 29.0.1 - 29.0.3 || >=32.0.2
Depends on vulnerable versions of @vercel/fun
Depends on vulnerable versions of @vercel/node
node_modules/vercel

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install vercel@32.3.0, which is a breaking change
node_modules/@vercel/fun/node_modules/semver

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install vercel@32.3.0, which is a breaking change
node_modules/tar

undici  <=5.28.3
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - https://github.com/advisories/GHSA-9qxr-qj54-h672
Undici proxy-authorization header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-3787-6prv-h9w3
fix available via `npm audit fix --force`
Will install vercel@32.3.0, which is a breaking change
node_modules/undici
@vercel/node  2.14.0 || >=3.0.2
Depends on vulnerable versions of undici
node_modules/@vercel/node

7 vulnerabilities (3 low, 4 moderate)

To address all issues (including breaking changes), run:
npm audit fix --force

Related issues and pull requests:
@G-Rath G-Rath mentioned this issue May 4, 2024
Open
Zac-Benattar added a commit to Zac-Benattar/rt-trainer that referenced this issue May 9, 2024
@Zac-Benattar
(chore) Update packages
d7b3fbe 
Hoping that vercel/vercel#11543 gets resolved eventually
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@G-Rath