all-contributors/cli

CVE-2021-23337 in transitive dependency lodash

greyscaled opened this issue · 1 comments

greyscaled commented
  • all-contributors-cli version: all-contributors-cli@6.20.0
  • node version: N/A
  • npm (or yarn) version: N/A

Relevant code or config

https://github.com/all-contributors/all-contributors-cli/blob/e9c1f55beb2c18391a5d5f0c9e8243dc3f89ebe3/package.json#L49

What you did:

yarn audit
yarn why lodash

What happened:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.21                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ all-contributors-cli                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ all-contributors-cli > inquirer > lodash                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1673                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.21                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ all-contributors-cli                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ all-contributors-cli > lodash                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1673                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
yarn why v1.22.10
[1/4] Why do we have the module "lodash"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "lodash@4.17.20"
info Reasons this module exists
   - "all-contributors-cli" depends on it
   - Hoisted from "all-contributors-cli#lodash"
   - Hoisted from "all-contributors-cli#inquirer#lodash"
info Disk size without dependencies: "4.86MB"
info Disk size with unique dependencies: "4.86MB"
info Disk size with transitive dependencies: "4.86MB"
info Number of shared dependencies: 0
Done in 0.23s.

Reproduction repository:

https://github.com/all-contributors/all-contributors-cli

Problem description:

CVE-2021-23337 in transitive dependency lodash (through inquirer)

Suggested solution:

Upgrade inquirer to a version with lodash >=4.17.21

all-contributors-release-bot commented

🎉 This issue has been resolved in version 6.20.1 🎉

The release is available on:

Your semantic-release bot 📦🚀