Skip to content

CVE-2022-38900 fix for npm v6 #6010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 41 commits into from
Closed

CVE-2022-38900 fix for npm v6 #6010

wants to merge 41 commits into from

Conversation

c3ivodujmovic
Copy link

@c3ivodujmovic c3ivodujmovic commented Dec 31, 2022
edited
Loading

[email protected] see GHSA-5698-6q73-gp8h

darcyclarke and others added 30 commits November 14, 2022 16:20
@darcyclarke
updated lockfile
be23b61
@darcyclarke
[email protected]
382d72b
@darcyclarke
[email protected]
9918f59
@darcyclarke
[email protected]
f55bd65
@darcyclarke
[email protected]
cd48946
@darcyclarke
[email protected]
023d7e9
@darcyclarke
[email protected]
dd2811c
@darcyclarke
[email protected]
e21b6eb
@darcyclarke
[email protected]
2bec581
@darcyclarke
[email protected]
2734851
@darcyclarke
[email protected]
720f8ae
@darcyclarke
[email protected]
5f1200e
@darcyclarke
[email protected]
58b74a3
@darcyclarke
[email protected]
4b60965
@darcyclarke
[email protected]
8fe80a2
@darcyclarke
[email protected]
14c7a1a
@darcyclarke
[email protected]
06d9cef
@darcyclarke
[email protected]
1d2da35
@darcyclarke
[email protected]
22eda3a
@darcyclarke
[email protected]
b77a7f1
@darcyclarke
[email protected]
de37398
@darcyclarke
[email protected]
196650b
@darcyclarke
[email protected]
3218c16
@darcyclarke
[email protected]
0f5d579
@darcyclarke
[email protected]
43ed5c2
@darcyclarke
[email protected]
31b51c5
@darcyclarke
[email protected]
209a79d
@darcyclarke
[email protected]
4778a8d
@darcyclarke
updated lockfile
442ff7a
@ruyadorno
chore: update expected integrity value in test
f391ca8
@c3ivodujmovic c3ivodujmovic requested a review from a team as a code owner December 31, 2022 01:57
@c3ivodujmovic c3ivodujmovic mentioned this pull request Dec 31, 2022
Closed
@girlsavenue girlsavenue mentioned this pull request Jan 1, 2023
Closed
2 tasks
@wraithgar wraithgar closed this Jan 2, 2023
@c3ivodujmovic
Copy link
Author

@wraithgar @ruyadorno what do you guys recommend is the best way to address this issue?

@lukekarrys
Copy link
Contributor

the npm team will audit the vulnerability and create a release for v6 if necessary. currently v6 is only being released with urgent security fixes.

@c3ivodujmovic
Copy link
Author

c3ivodujmovic commented Jan 18, 2023
edited
Loading

Thanks @lukekarrys . Tell me if there is anything I can help.

Background
High CVE https://nvd.nist.gov/vuln/detail/CVE-2022-38900 Improper Input Validation resulting in DoS
Fixed via decode-uri-component update from 0.2.0 to 0.2.1
The latest node version 14.21.2 (LTS) includes this offending code:
(bash)# npm list decode-uri-component
[email protected] /home/c3/node-v14.21.2-linux-x64/lib/node_modules/npm
└─┬ [email protected]
└── [email protected]

@lukekarrys
Copy link
Contributor

[email protected] was released 2022-12-21 which contains [email protected].

└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

There is an open PR to land this change in node 14 which can be followed to track the progress there: nodejs/node#45936

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@c3ivodujmovic @lukekarrys @wraithgar @darcyclarke @ruyadorno