Summary
Our meow dependency (which we use for our CLI) depended on [email protected] . A vulnerability in this version of semver was recently identified and surfaced by npm audit:
Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
And my dependencies tree for semver show your package
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped
I found that [email protected] contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.
⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older semver versions
The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.
So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:
package.json:
{
"dependencies": {
"stylelint": "15.10.0"
}
}Run npm audit (here is no alert for semver):
$ npm ci
...
$ npm audit
...
stylelint 8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/stylelint
1 low severity vulnerability
...
$ npm ls semver
...
└─┬ [email protected]
└─┬ [email protected]
├─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]References
romainmenke Remediation developer
Summary
Our
meowdependency (which we use for our CLI) depended on[email protected]. A vulnerability in this version ofsemverwas recently identified and surfaced bynpm audit:Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
And my dependencies tree for semver show your package
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped
I found that [email protected] contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and
meowis only used on the CLI pathway.⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older
semverversionsThe same security fix has been backported to older
semverversions of 5.x and 6.x. See the CVE-2022-25883 details.So, you can fix this vulnerability by just updating
semverin your project's dependency tree, instead of updatingstylelint. For details, see the example:package.json:{ "dependencies": { "stylelint": "15.10.0" } }Run
npm audit(here is no alert forsemver):References