Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Bump kind-of version for CVE-2019-20149 #18

Closed
wants to merge 1 commit into from
Closed

Bump kind-of version for CVE-2019-20149 #18

wants to merge 1 commit into from

Conversation

adelyafatykhova
Copy link

@adelyafatykhova adelyafatykhova commented Jan 22, 2020
edited
Loading

Description

Due to CVE-2019-20149, a new version of kind-of has been released.

Since clone-deep uses 6.0.2, this raises security flags.

FYI @jonschlinkert @doowb could you take care of this and release a new version of this package?

This was referenced Jan 22, 2020
Closed
Closed
Closed
@doowb
Copy link
Collaborator

doowb commented Jan 22, 2020

Thanks for the PR, but this isn't necessary right now. 6.0.3 will automatically be used due to the semver range. When other changes are made to this package, we'll merge it in at that time.

@adelyafatykhova
Copy link
Author

adelyafatykhova commented Jan 23, 2020
edited
Loading

@doowb sounds good. However, I think as long as 6.0.2 is mentioned in the package.json this will be reported as an issue using security scan tools.

For example, a report using Whitesource from today continues to flag clone-deep as using kind-of v6.0.2, even with 6.0.3 available

image

However, weirdly enough the vulnerability is no longer found in the whitesource vulnerabilities list so perhaps the report issue will go away soon as well

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-20149/

@jonschlinkert
Copy link
Owner

jonschlinkert commented Jan 23, 2020 via email
edited
Loading

@edwardgalligan
Copy link

this isn't necessary right now. 6.0.3 will automatically be used

that’s really a failing of those tools

This isn't how semver ranges work, and it isn't a failing of those tools; the tools are correct.

clone-deep specifying that 6.0.2 is an acceptable version means that the clone-deep package is telling package managers it can and will work with the vulnerable version of kind-of. Package managers will usually use 6.0.3 (or the latest patch version) but may select a lower version for use depending on their dependency-resolution options: e.g. they may de-dupe multiple package dependencies of various packages if kind-of is used in multiple places.

clone-deep is vulnerable by not explicitly requiring a secure version of kind-of in package.json

@jenni-okelly jenni-okelly mentioned this pull request Apr 16, 2020
Open
@arthurchui arthurchui mentioned this pull request Apr 30, 2020
Closed
@jonschlinkert
Copy link
Owner

Closing based on age and since this is 100% the responsibility and/or failing of the package manager.

Repository owner locked as resolved and limited conversation to collaborators Jul 12, 2023
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@jonschlinkert jonschlinkert Awaiting requested review from jonschlinkert

@doowb doowb Awaiting requested review from doowb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@adelyafatykhova @doowb @jonschlinkert @edwardgalligan