Vulnerabilities introduced by package validator

Question

Vulnerabilities introduced by package validator

paimon0715 opened this issue 3 years ago · 2 comments

Hi, @zaggino, I’d like to report the vulnerabilities introduced in your package z-schema:

Issue Description

Vulnerabilities SNYK-JS-VALIDATOR-1090600, SNYK-JS-VALIDATOR-1090599, SNYK-JS-VALIDATOR-1090602 and SNYK-JS-VALIDATOR-1090601 are detected in package validator<13.6.0 and validator@12.2.0 is directly referenced by z-schema@4.2.3. We noticed that the vulnerabilities has been removed since z-schema@5.0.1.

However, z-schema's popular previous version z-schema@4.2.3 (420,695 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 11,180 downstream projects, e.g., swagger-parser 10.0.2, @apidevtools/swagger-parser 10.0.2, swagger-jsdoc 6.1.0, swagger-cli 4.0.4, @apidevtools/swagger-cli 4.0.4, mock-ipfs-pinning-service 0.3.0, api-spec-converter 2.12.0, raml-to-postman 2.0.6, etc.).
As such, issues SNYK-JS-VALIDATOR-1090600, SNYK-JS-VALIDATOR-1090599, SNYK-JS-VALIDATOR-1090602 and SNYK-JS-VALIDATOR-1090601 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade z-schema from version 4.2.3 to (>=5.0.1). For instance, z-schema@4.2.3 is introduced into the above projects via the following package dependency paths:
(1)mock-ipfs-pinning-service@0.3.0 ➔ oas-tools@2.1.8 ➔ z-schema@4.2.3 ➔ validator@12.2.0
......

The projects such as oas-tools, which introduced z-schema@4.2.3, are not maintained anymore. These unmaintained packages can neither upgrade z-schema nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package z-schema@4.2.3?

Suggested Solution

Since these inactive projects set a version constaint 4.2.* for z-schema on the above vulnerable dependency paths, if z-schema removes the vulnerability from 4.2.3 and releases a new patched version z-schema@4.2.4, such a vulnerability patch can be automatically propagated into the 11,180 affected downstream projects.

In z-schema@4.2.4, you can kindly try to perform the following upgrade:
validator ^12.0.0 ➔ ^13.6.0;
Note:
validator@13.6.0(>=13.6.0) has fixed the vulnerabilities (SNYK-JS-VALIDATOR-1090600, SNYK-JS-VALIDATOR-1090599, SNYK-JS-VALIDATOR-1090602 and SNYK-JS-VALIDATOR-1090601)

Thank you for your help.

Best regards,
Paimon

Answer 1 · 2021-07-26T05:34:46.000Z

Hello,
Published z-schema@4.2.4
Diff https://github.com/zaggino/z-schema/compare/v4.2.3...v4.2.4?expand=1

Answer 2 · 2021-07-26T05:35:54.000Z

@zaggino Thanks for your help!