Security updates in deps
optiguy opened this issue · 1 comments
ascii-art@2.8.5
has a couple of dependency updates, that should be updated due to a high risk, due to the version of d3-color
and cli
for this package. This is the result of running an audit on the package.
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high │ d3-color vulnerable to ReDoS │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ d3-color │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <3.1.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=3.1.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 > │
│ │ d3@5.16.0 > d3-brush@1.1.6 > d3-interpolate@1.4.0 > │
│ │ d3-color@1.4.1 │
│ │ │
│ │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 > │
│ │ d3@5.16.0 > d3-brush@1.1.6 > d3-transition@1.3.2 > │
│ │ d3-color@1.4.1 │
│ │ │
│ │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 > │
│ │ d3@5.16.0 > d3-brush@1.1.6 > d3-transition@1.3.2 > │
│ │ d3-interpolate@1.4.0 > d3-color@1.4.1 │
│ │ │
│ │ ... Found 13 paths, run `pnpm why d3-color` for more │
│ │ information │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-36jr-mh4h-2g58 │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low │ Arbitrary File Write in cli │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ cli │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.0.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=1.0.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ . > ascii-art@2.8.5 > ascii-art-ansi@1.4.1 > │
│ │ color-difference@0.3.4 > cli@0.4.5 │
│ │ │
│ │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 > │
│ │ ascii-art-ansi@1.4.1 > color-difference@0.3.4 > │
│ │ cli@0.4.5 │
│ │ │
│ │ . > ascii-art@2.8.5 > ascii-art-image@1.4.0 > │
│ │ ascii-art-ansi@1.4.1 > color-difference@0.3.4 > │
│ │ cli@0.4.5 │
│ │ │
│ │ ... Found 5 paths, run `pnpm why cli` for more │
│ │ information │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-6cpc-mj5c-m9rq │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low │ Node CLI Allows Arbitrary File Overwrite │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ cli │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.1.0 <=0.11.3 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=1.0.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ . > ascii-art@2.8.5 > ascii-art-ansi@1.4.1 > │
│ │ color-difference@0.3.4 > cli@0.4.5 │
│ │ │
│ │ . > ascii-art@2.8.5 > ascii-art-graph@0.5.0 > │
│ │ ascii-art-ansi@1.4.1 > color-difference@0.3.4 > │
│ │ cli@0.4.5 │
│ │ │
│ │ . > ascii-art@2.8.5 > ascii-art-image@1.4.0 > │
│ │ ascii-art-ansi@1.4.1 > color-difference@0.3.4 > │
│ │ cli@0.4.5 │
│ │ │
│ │ ... Found 5 paths, run `pnpm why cli` for more │
│ │ information │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-3mrp-qhcj-mwv5 │
└─────────────────────┴────────────────────────────────────────────────────────┘
Thanks for your report, these will be upgraded or removed in the coming 3.0 release.
Regarding the specifics of the report though: ascii art only uses d3-color in the d3 mode and uses a specific set of descriptions for color (RGB, hex or named values), so any vulnerability would come from generating unsanitized inputs in code (on a server). AKA allowing a user to upload source code and then processing that, since all non ANSI color handling is programmatic, which is, itself, highly questionable. I recommend not trying that in the first place, but will be updating to a version not vulnerable to ReDOS.
color-difference
is on target to be removed (an inactive dep which is the culprit for the cli dep, even though that dep is not in the code path of anything executing in this lib).
Thanks again for the report, I'll leave it open until 3.0 drops.