y18n < 4.0.1 is vulnerable to prototype pollution (CVE-2020-7774)
ArielPrevu3D opened this issue · 2 comments
The package cmake-js@6.3.2 depends on a vulnerable version of yargs, which depends on a vulnerable y18n version.
│ └─┬ aws-crt@1.15.5
│ └─┬ cmake-js@6.3.2
│ └─┬ yargs@3.32.0
│ └── y18n@3.2.2
Upgrading cmake-js to 7.x.x would fix this issue. The problem with y18n is fixed with versions 4.0.1 and 5.0.5.
Using the same response to both this and #390
Upgrading cmake-js to the lastest major version is essentially a large bump to our minimum node version (10 ->14). Cmake-js 7 will not run on less than node 14 and it's not a good experience to require a version of node (to build) beyond what the actual baseline is. We will look into what the proper procedure should be for updating our node baseline to 14, but under normal circumstances it's something that needs a decent amount of advance notice to users.
While "there's no vulnerability" is not something a downstream user should ever rely on, in this case, the inputs that are fed into the potentially vulnerable code are 100% under our control (the repo source) and so while the general vulnerability is real, there is not a cause for alarm with applications using the CRT at the present moment.
Revisiting this, the problem is also fixed with 3.2.2 which is what you get currently based on npm version resolution rules.