[Bug]: Security issues in the underlying packages
iSeiryu opened this issue · 5 comments
Version
29.1.0
Steps to reproduce
Before yesterday, npm i
reported only 4 low vulnerabilities. But yesterday it suddenly started showing 32 moderate vulnerabilities.
This package is flagged, but additional issues might need to be created on the dependency packages.
P.S. you guys need a [Security] issue template.
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install ts-jest@27.0.3, which is a breaking change
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/child-process-ext/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/make-dir/node_modules/semver
@babel/core *
Depends on vulnerable versions of @babel/helper-compilation-targets
Depends on vulnerable versions of semver
node_modules/@babel/core
@babel/helper-compilation-targets *
Depends on vulnerable versions of @babel/core
Depends on vulnerable versions of semver
node_modules/@babel/helper-compilation-targets
@jest/transform *
Depends on vulnerable versions of @babel/core
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/@jest/transform
@jest/core *
Depends on vulnerable versions of @jest/reporters
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-resolve-dependencies
Depends on vulnerable versions of jest-runner
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-snapshot
node_modules/@jest/core
jest >=24.0.0-alpha.0
Depends on vulnerable versions of @jest/core
Depends on vulnerable versions of jest-cli
node_modules/jest
ts-jest >=25.10.0-alpha.1
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of jest
node_modules/ts-jest
jest-cli >=24.0.0-alpha.0
Depends on vulnerable versions of @jest/core
Depends on vulnerable versions of jest-config
node_modules/jest-cli
babel-jest >=18.5.0-alpha.7da3df39
Depends on vulnerable versions of @babel/core
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of babel-preset-jest
node_modules/babel-jest
jest-runner >=24.2.0-alpha.0
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of jest-runtime
node_modules/jest-runner
jest-config >=24.0.0-alpha.0
Depends on vulnerable versions of @babel/core
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of jest-circus
Depends on vulnerable versions of jest-runner
node_modules/jest-config
jest-runtime >=24.2.0-alpha.0
Depends on vulnerable versions of @jest/globals
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of jest-snapshot
node_modules/jest-runtime
jest-circus >=25.2.4
Depends on vulnerable versions of @jest/expect
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-snapshot
node_modules/jest-circus
babel-preset-current-node-syntax *
Depends on vulnerable versions of @babel/core
node_modules/babel-preset-current-node-syntax
babel-preset-jest >=24.2.0-alpha.0
Depends on vulnerable versions of @babel/core
Depends on vulnerable versions of babel-preset-current-node-syntax
node_modules/babel-preset-jest
istanbul-lib-instrument >=1.2.0
Depends on vulnerable versions of @babel/core
Depends on vulnerable versions of semver
node_modules/istanbul-lib-instrument
@jest/reporters *
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of istanbul-lib-instrument
Depends on vulnerable versions of istanbul-lib-report
Depends on vulnerable versions of istanbul-reports
node_modules/@jest/reporters
babel-plugin-istanbul >=3.1.0-candidate.0
Depends on vulnerable versions of istanbul-lib-instrument
node_modules/babel-plugin-istanbul
jest-snapshot >=27.0.0-next.0
Depends on vulnerable versions of @babel/core
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of babel-preset-current-node-syntax
node_modules/jest-snapshot
@jest/expect *
Depends on vulnerable versions of jest-snapshot
node_modules/@jest/expect
@jest/globals >=28.0.0-alpha.0
Depends on vulnerable versions of @jest/expect
node_modules/@jest/globals
jest-resolve-dependencies >=27.0.0-next.0
Depends on vulnerable versions of jest-snapshot
node_modules/jest-resolve-dependencies
cross-spawn 6.0.0 - 6.0.5
Depends on vulnerable versions of semver
node_modules/child-process-ext/node_modules/cross-spawn
child-process-ext *
Depends on vulnerable versions of cross-spawn
node_modules/child-process-ext
@serverless/dashboard-plugin *
Depends on vulnerable versions of @serverless/utils
Depends on vulnerable versions of child-process-ext
node_modules/@serverless/dashboard-plugin
serverless >=1.61.0
Depends on vulnerable versions of @serverless/dashboard-plugin
Depends on vulnerable versions of @serverless/utils
Depends on vulnerable versions of child-process-ext
node_modules/serverless
serverless-plugin-typescript 2.0.0 - 2.1.5
Depends on vulnerable versions of serverless
node_modules/serverless-plugin-typescript
make-dir 2.0.0 - 3.1.0
Depends on vulnerable versions of semver
node_modules/make-dir
@serverless/utils >=5.1.0
Depends on vulnerable versions of make-dir
node_modules/@serverless/utils
serverless-offline >=9.0.0
Depends on vulnerable versions of @serverless/utils
Depends on vulnerable versions of serverless
node_modules/serverless-offline
istanbul-lib-report >=2.0.5
Depends on vulnerable versions of make-dir
node_modules/istanbul-lib-report
istanbul-reports >=3.0.0-alpha.0
Depends on vulnerable versions of istanbul-lib-report
node_modules/istanbul-reports
36 vulnerabilities (4 low, 32 moderate)
Expected behavior
There should be no vulnerabilities.
Actual behavior
There are 32 new vulnerabilities.
Debug log
None
Additional context
No response
Environment
OS: Linux, Windows, Mac
Node: 16 and 18
I see in the logging that Will install ts-jest@27.0.3, which is a breaking change
but you mentioned it's version 29.1.0 I don't see anything mentioned about version 29.1.0
Bot will fix it :)
There are more to that like conventional changelog which we are using but it's dev dep only. A direct dep is semver
which can be bumped to solve the issue by making a release.
@ahnpnl We are on 29.1.0
and npm audit
says that to fix it we need to drop to 27.0.3
which we cannot do since it introduces hundreds of breaking changes.
@ahnpnl
https://www.npmjs.com/package/semver released a new 7.5.3
version 20 hours ago. I'm assuming that's to fix that vulnerability. If ts-jest
could release a new package that references the new version that would be awesome.