6.0.2 looks to be a version that should be deleted

Question

6.0.2 looks to be a version that should be deleted

mstergianis opened this issue 2 years ago · 2 comments

It appears there's a version out in the wild 6.0.2 available on NPM. Couldn't find it in your tags or releases, but it's real. But when I download it and compare the compiled source code to 6.0.1 it looks like the fixes for CVE-2022-2216 and CVE-2022-0722 aren't present

diff --git a/6.0.1/package/lib/index.js b/6.0.2/package/lib/index.js
index 0ee02368..31b2a042 100644
--- a/6.0.1/package/lib/index.js
+++ b/6.0.2/package/lib/index.js
@@ -1,11 +1,7 @@
-"use strict";
+"use strict"
 
-// Dependencies
-
-var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; };
-
-var parsePath = require("parse-path"),
-    normalizeUrl = require("normalize-url");
+const parsePath = require("parse-path")
+    , normalizeUrl = require("normalize-url")
 
 /**
  * parseUrl
@@ -16,7 +12,7 @@ var parsePath = require("parse-path"),
  * @name parseUrl
  * @function
  * @param {String} url The input url.
- * @param {Boolean|Object} normalize Whether to normalize the url or not.
+ * @param {Boolean|Object} normalize Wheter to normalize the url or not.
  *                         Default is `false`. If `true`, the url will
  *                         be normalized. If an object, it will be the
  *                         options object sent to [`normalize-url`](https://github.com/sindresorhus/normalize-url).
@@ -25,52 +21,31 @@ var parsePath = require("parse-path"),
  *
  * @return {Object} An object containing the following fields:
  *
- *    - `protocols` (Array): An array with the url protocols (usually it has one element).
- *    - `protocol` (String): The first protocol, `"ssh"` (if the url is a ssh url) or `"file"`.
- *    - `port` (null|Number): The domain port.
- *    - `resource` (String): The url domain (including subdomains).
- *    - `user` (String): The authentication user (usually for ssh urls).
- *    - `pathname` (String): The url pathname.
- *    - `hash` (String): The url hash.
- *    - `search` (String): The url querystring value.
- *    - `href` (String): The input url.
- *    - `query` (Object): The url querystring, parsed as object.
+ *  - `protocols` (Array): An array with the url protocols (usually it has one element).
+ *  - `protocol` (String): The first protocol, `"ssh"` (if the url is a ssh url) or `"file"`.
+ *  - `port` (null|Number): The domain port.
+ *  - `resource` (String): The url domain (including subdomains).
+ *  - `user` (String): The authentication user (usually for ssh urls).
+ *  - `pathname` (String): The url pathname.
+ *  - `hash` (String): The url hash.
+ *  - `search` (String): The url querystring value.
+ *  - `href` (String): The input url.
+ *  - `query` (Object): The url querystring, parsed as object.
  */
-var parseUrl = function parseUrl(url) {
-    var normalize = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
-
-
-    // Constants
-    var GIT_RE = /((git@|http(s)?:\/\/)([\w\.@]+)(\/|:))(([\~,\w,\-,\_,\/]+)(.git){0,1}((\/){0,1}))/;
-
+function parseUrl(url, normalize = false) {
     if (typeof url !== "string" || !url.trim()) {
-        throw new Error("Invalid url.");
+        throw new Error("Invalid url.")
     }
-
     if (normalize) {
-        if ((typeof normalize === "undefined" ? "undefined" : _typeof(normalize)) !== "object") {
+        if (typeof normalize !== "object") {
             normalize = {
                 stripHash: false
-            };
+            }
         }
-        url = normalizeUrl(url, normalize);
+        url = normalizeUrl(url, normalize)
     }
-
-    var parsed = parsePath(url);
-
-    // Potential git-ssh urls
-    if (parsed.protocol === "file") {
-        var matched = parsed.href.match(GIT_RE);
-        if (matched) {
-            parsed.protocols = ["ssh"];
-            parsed.protocol = "ssh";
-            parsed.resource = matched[4];
-            parsed.user = "git";
-            parsed.pathname = "/" + matched[6];
-        }
-    }
-
+    const parsed = parsePath(url)
     return parsed;
-};
+}
 
-module.exports = parseUrl;
\ No newline at end of file
+module.exports = parseUrl;

In particular the changes introduced in 21c72ab don't appear to be there. I decided to check 6.0.2 against 6.0.0 and it looks a lot more like a copy of 6.0.0. Maybe a compiler setting was changed, or a different target ES version.

diff --git a/6.0.0/package/lib/index.js b/6.0.2/package/lib/index.js
index 6e194fa5..31b2a042 100644
--- a/6.0.0/package/lib/index.js
+++ b/6.0.2/package/lib/index.js
@@ -1,9 +1,7 @@
-"use strict";
+"use strict"
 
-var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; };
-
-var parsePath = require("parse-path"),
-    normalizeUrl = require("normalize-url");
+const parsePath = require("parse-path")
+    , normalizeUrl = require("normalize-url")
 
 /**
  * parseUrl
@@ -34,22 +32,20 @@ var parsePath = require("parse-path"),
  *  - `href` (String): The input url.
  *  - `query` (Object): The url querystring, parsed as object.
  */
-function parseUrl(url) {
-    var normalize = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : false;
-
+function parseUrl(url, normalize = false) {
     if (typeof url !== "string" || !url.trim()) {
-        throw new Error("Invalid url.");
+        throw new Error("Invalid url.")
     }
     if (normalize) {
-        if ((typeof normalize === "undefined" ? "undefined" : _typeof(normalize)) !== "object") {
+        if (typeof normalize !== "object") {
             normalize = {
                 stripHash: false
-            };
+            }
         }
-        url = normalizeUrl(url, normalize);
+        url = normalizeUrl(url, normalize)
     }
-    var parsed = parsePath(url);
+    const parsed = parsePath(url)
     return parsed;
 }
 
-module.exports = parseUrl;
\ No newline at end of file
+module.exports = parseUrl;

Is there a recomendation here? What should users be using? Should 6.0.2 be unpublished? Or maybe 6.0.3 be published to fix this regression?

Answer 1 · 2022-07-22T08:24:59.000Z

I tried to unpublish it, but I just cannot... I think it is a limitation of NPM. Is there any way to really delete it?

Thanks!

Answer 2 · 2022-07-22T14:08:07.000Z

Oh, yep that was naive on my part. Apparently NPM has policies in place to prevent you from breaking other peoples packages, which makes sense.

I'm not picky on how things get resolved, and honestly, I'm armed with enough knowledge now where I don't need the solution, I can happily move to 6.0.1 or 7.0.2. My focus was on the community of people using 6.0.2 potentially being vulnerable without knowing it. 6.0.3 might be warranted. WDYT?