Could you help remove the vulnerability introduced by css-what ?

Question

Could you help remove the vulnerability introduced by css-what ?

Closed this issue 3 years ago · 3 comments

Issue Description

I notice that css-select@2.1.0 directly depends on css-what@3.4.2. However, the vulnerability CVE-2021-33587 affects package css-what(<5.0.1).
As far as I aware, css-select@2.1.0 is so popular that a large number of latest versions of active and popular downstream projects depend on it (7,471,335 downloads per week and about 8,466 downstream projects, e.g., @svgr/plugin-svgo 5.5.0, @svgr/webpack 5.5.0, react-scripts 4.0.3, @vue/cli-service 4.5.13, @rails/webpacker 5.4.0, etc.).
In this case, the vulnerability CVE-2021-33587 can be propagated into these downstream projects and expose security threats to them.
As you can see, css-select@2.1.0 is introduced into the above projects via the following package dependency paths:
(1)@creativestyle/magesuite-frontend-builder@2.4.5 ➔ gulp-imagemin@7.1.0 ➔ imagemin-svgo@7.1.0 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2
(2)@nitro/gulp@5.10.10 ➔ gulp-imagemin@7.1.0 ➔ imagemin-svgo@7.1.0 ➔ svgo@1.3.2 ➔ css-select@2.1.0 ➔ css-what@3.4.2
......

I know that it's kind of you to have removed the vulnerability since css-select@4.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade css-select from version 2.1.0 to (>=4.0.0):
The projects such as gulp-imagemin, which introduced css-select@2.1.0, are not maintained anymore. These unmaintained packages can neither upgrade css-select nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package css-select@2.1.0?

Suggested Solution

Since these inactive projects set a version constaint 2.1.* for css-select on the above vulnerable dependency paths, if css-select removes the vulnerability from 2.1.0 and releases a new patched version css-select@2.1.1, such a vulnerability patch can be automatically propagated into the downstream projects.

The simplest way to remove the vulnerability is to perform the following upgrade in css-select@2.1.1:
css-what ^3.2.1 ➔ ^5.0.1;
Note:
css-what@5.0.1(>=5.0.1) has fixed the vulnerability (CVE-2021-33587)

You are welcome to share other ways to resolve the issue.
Thank you for your attention to this issue.^_^

Answer 1 · 2021-09-29T14:12:48.000Z

Hi @evansrobert, thanks for the suggestion!

The big issue with this is that css-what had some breaking changes; eg. [href=example.com] is no longer an allowed selector, and there are other similar examples. This means that the suggested 2.1.1 could break user's code, which is arguably worse than the CVE warning.

Ultimately, I would encourage people that see this as part of their build pipeline to ignore CVE. You aren't exposed to any risk.

Answer 2 · 2021-10-08T10:59:44.000Z

Ultimately, I would encourage people that see this as part of their build pipeline to ignore CVE. You aren't exposed to any risk.

I am not really sure if ignoring CVE is the kind of advice I would ever give.

It seems that https://github.com/fb55/css-select/pull/564/files sorted another recent CVE but because the project did not make new release with it, its consumers are not able to protect against it.

Making a hotfix after any addressed CVE seems like a good practice.

Answer 3 · 2021-10-08T14:03:48.000Z

The other CVE is covered by the last releases version range and doesn't need a separate release.