Incorrect version 6.0.2 published!
Closed this issue · 8 comments
Hi,
I did an update of parse-url to version 6.0.2 and I'm a litte bit confused about the used parse-path version.
parse-url:6.0.2defines"parse-path": "^4.0.4"in it's package.json which is affected by https://nvd.nist.gov/vuln/detail/CVE-2022-0624parse-url:6.0.1used already"parse-path":"^5.0.0"
I can't find a tag for 6.0.2 therefore it's hard to track this change.
You can see the difference if you download the corresponding tar balls:
- https://registry.npmjs.org/parse-url/-/parse-url-6.0.2.tgz
- https://registry.npmjs.org/parse-url/-/parse-url-6.0.1.tgz
It seems as there was an incorrect version published as 6.0.2. The changes of the CVE-2022-0722 are missing!
Expected changes for CVE:
Dependencies of 6.0.1
"dependencies": {
"is-ssh": "^1.4.0",
"normalize-url": "^6.1.0",
"parse-path": "^5.0.0",
"protocols": "^2.0.1"
},
Dependencies of 6.0.2
"dependencies": {
"is-ssh": "^1.3.0",
"normalize-url": "^6.1.0",
"parse-path": "^4.0.4",
"protocols": "^1.4.0"
},
I am a little confused, too. Having 6.0.2 in npm with Dependabot making automated pull requests upgrading to it, while no such tag exists in the Git repository, looks somewhat suspicious to me.
I would also appreciate having an explanation about the three different major version lineages (5, 6, 7) in readme to be able to make informed decisions about upgrading and preparing to possible regressions.
I am really sorry that this happened. I published 6.0.3 to patch the wrong version 6.0.2. Hopefully that should fix it. Let me know if you run in any issues with that.
Hi @IonicaBizau,
Should 6.0.3 include the fix of https://nvd.nist.gov/vuln/detail/CVE-2022-0722 ?
I expected a version which is similar to 6.0.1
- Updated dependencies e.g.
parse-path:^5.0.0 - And the use of the
GIT_REregex
Or is the tag and published package 6.0.1 wrong?
I checked that, but it turns out 6.0.1 is wrong too. So, do not use 6.0.1 and 6.0.2. 6.0.3 is fine but got published with the const keywords which I guess it should be fine, but just to make sure I republished 6.0.0 as 6.0.4.
So, either use 6.0.4 or upgrade to the latest releases which are more secure.
Sorry for the confusion.
Hi @IonicaBizau,
thank you for your quick response and sorry that I bother you again.
Just to clarify, more secure means that 6.0.4 includes the fix for CVE-2022-0722
. Am I right?
Have you already requested an update of the CVE-2022-0722
and GHSA-4p35-cfcx-8653?
If not, I can do that if you want.
Regarding the wrong 6.0.1:
Do I miss something? I compared 6.0.1 and 6.0.4 and both versions are equal except the version.
Could you please so kind and create a tag for 6.0.4?
Thanks in advance!
@curvedriver Yes, that seems to be fixed in 6.0.4:
> require("parse-url")("http://firstdomain.com%40jflsdk.com:20200@google.com/path/name?foo=bar&bar=42#some-hash")
{
protocols: [ 'http' ],
protocol: 'http',
port: '',
resource: 'google.com',
user: 'firstdomain.com%40jflsdk.com',
password: '20200',
pathname: '/path/name',
hash: 'some-hash',
search: 'foo=bar&bar=42',
href: 'http://firstdomain.com%40jflsdk.com:20200@google.com/path/name?foo=bar&bar=42#some-hash',
query: { foo: 'bar', bar: '42' }
}If you could request an update, it would be great!
6.0.4 and 6.0.0 are identical. I published 6.0.4 to patch the unexpected versions 6.0.2 and 6.0.3 (which belong rather to 7.x.x).
I have just created the tag 6.0.4. Let me know if you have any other questions. ❇️
Hi @IonicaBizau,
the published version 6.0.4 and 6.0.0 are not the same and the tag 6.0.4 is different to the content of the published parse-url:6.0.4 package.
I used git diff for a better visualization.
Published npm package 6.0.0 vs npm package 6.0.4
- https://registry.npmjs.org/parse-url/-/parse-url-6.0.0.tgz
- https://registry.npmjs.org/parse-url/-/parse-url-6.0.4.tgz
diff --git a/npm/parse-url-6.0.0/package/lib/index.js b/npm/parse-url-6.0.4/package/lib/index.js
index 6e194fa..0ee0236 100644
--- a/npm/parse-url-6.0.0/package/lib/index.js
+++ b/npm/parse-url-6.0.4/package/lib/index.js
@@ -1,5 +1,7 @@
"use strict";
+// Dependencies
+
var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; };
var parsePath = require("parse-path"),
@@ -14,7 +16,7 @@ var parsePath = require("parse-path"),
* @name parseUrl
* @function
* @param {String} url The input url.
- * @param {Boolean|Object} normalize Wheter to normalize the url or not.
+ * @param {Boolean|Object} normalize Whether to normalize the url or not.
* Default is `false`. If `true`, the url will
* be normalized. If an object, it will be the
* options object sent to [`normalize-url`](https://github.com/sindresorhus/normalize-url).
@@ -34,12 +36,17 @@ var parsePath = require("parse-path"),
* - `href` (String): The input url.
* - `query` (Object): The url querystring, parsed as object.
*/
-function parseUrl(url) {
+var parseUrl = function parseUrl(url) {
var normalize = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
+
+ // Constants
+ var GIT_RE = /((git@|http(s)?:\/\/)([\w\.@]+)(\/|:))(([\~,\w,\-,\_,\/]+)(.git){0,1}((\/){0,1}))/;
+
if (typeof url !== "string" || !url.trim()) {
throw new Error("Invalid url.");
}
+
if (normalize) {
if ((typeof normalize === "undefined" ? "undefined" : _typeof(normalize)) !== "object") {
normalize = {
@@ -48,8 +55,22 @@ function parseUrl(url) {
}
url = normalizeUrl(url, normalize);
}
+
var parsed = parsePath(url);
+
+ // Potential git-ssh urls
+ if (parsed.protocol === "file") {
+ var matched = parsed.href.match(GIT_RE);
+ if (matched) {
+ parsed.protocols = ["ssh"];
+ parsed.protocol = "ssh";
+ parsed.resource = matched[4];
+ parsed.user = "git";
+ parsed.pathname = "/" + matched[6];
+ }
+ }
+
return parsed;
-}
+};
module.exports = parseUrl;
\ No newline at end of file
(END)tag 6.0.4 vs npm package 6.0.4
- https://raw.githubusercontent.com/IonicaBizau/parse-url/6.0.4/lib/index.js
- https://registry.npmjs.org/parse-url/-/parse-url-6.0.4.tgz
diff --git a/tag/6.0.4/index.js b/npm/parse-url-6.0.4/package/lib/index.js
index 31b2a04..0ee0236 100644
--- a/tag/6.0.4/index.js
+++ b/npm/parse-url-6.0.4/package/lib/index.js
@@ -1,7 +1,11 @@
-"use strict"
+"use strict";
-const parsePath = require("parse-path")
- , normalizeUrl = require("normalize-url")
+// Dependencies
+
+var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; };
+
+var parsePath = require("parse-path"),
+ normalizeUrl = require("normalize-url");
/**
* parseUrl
@@ -12,7 +16,7 @@ const parsePath = require("parse-path")
* @name parseUrl
* @function
* @param {String} url The input url.
- * @param {Boolean|Object} normalize Wheter to normalize the url or not.
+ * @param {Boolean|Object} normalize Whether to normalize the url or not.
* Default is `false`. If `true`, the url will
* be normalized. If an object, it will be the
* options object sent to [`normalize-url`](https://github.com/sindresorhus/normalize-url).
@@ -32,20 +36,41 @@ const parsePath = require("parse-path")
* - `href` (String): The input url.
* - `query` (Object): The url querystring, parsed as object.
*/
-function parseUrl(url, normalize = false) {
+var parseUrl = function parseUrl(url) {
+ var normalize = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
+
+
+ // Constants
+ var GIT_RE = /((git@|http(s)?:\/\/)([\w\.@]+)(\/|:))(([\~,\w,\-,\_,\/]+)(.git){0,1}((\/){0,1}))/;
+
if (typeof url !== "string" || !url.trim()) {
- throw new Error("Invalid url.")
+ throw new Error("Invalid url.");
}
+
if (normalize) {
- if (typeof normalize !== "object") {
+ if ((typeof normalize === "undefined" ? "undefined" : _typeof(normalize)) !== "object") {
normalize = {
stripHash: false
+ };
}
+ url = normalizeUrl(url, normalize);
}
- url = normalizeUrl(url, normalize)
+
+ var parsed = parsePath(url);
+
+ // Potential git-ssh urls
+ if (parsed.protocol === "file") {
+ var matched = parsed.href.match(GIT_RE);
+ if (matched) {
+ parsed.protocols = ["ssh"];
+ parsed.protocol = "ssh";
+ parsed.resource = matched[4];
+ parsed.user = "git";
+ parsed.pathname = "/" + matched[6];
}
- const parsed = parsePath(url)
+ }
+
return parsed;
-}
+};
module.exports = parseUrl;
\ No newline at end of file
(END)Yes, you are right! Thanks for that. It turned out I published on npm 6.0.5 and created tag 6.0.4.
In the 6.x.x the latest one is 6.0.5 and that is identical with 6.0.0. This is to fix the wrong versions in between for these applications using ^6.0.0.
Let me know if you see anything wrong.