Project

General

Profile

Actions

Bug #25558

open

Ignore DoS in semver npm dependency

Added by Alexis Mousset 3 months ago. Updated 3 months ago.

Status:
Pending release
Priority:
N/A
Category:
Packaging
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

[2024-09-26T21:17:24.295Z] ╔══════════════════════════════════════════════════════════════════════╗

[2024-09-26T21:17:24.295Z] ║                      === list of exceptions ===                      ║

[2024-09-26T21:17:24.295Z] ║                                                                      ║

[2024-09-26T21:17:24.295Z] ║ ID                  │ Status │ Expiry │ Notes                        ║

[2024-09-26T21:17:24.295Z] ║ GHSA-grv7-fg5c-xmjg │ active │        │ Dev dependency vulnerability ║

[2024-09-26T21:17:24.295Z] ╚═════════════════════╧════════╧════════╧══════════════════════════════╝

[2024-09-26T21:17:24.295Z] 

[2024-09-26T21:17:27.672Z] ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗

[2024-09-26T21:17:27.672Z] ║                                                                                   === npm audit security report ===                                                                                   ║

[2024-09-26T21:17:27.672Z] ║                                                                                                                                                                                                       ║

[2024-09-26T21:17:27.672Z] ║ ID      │ Module       │ Title                                              │ Paths                                              │ Sev.     │ URL                                               │ Ex. ║

[2024-09-26T21:17:27.672Z] ║ 1098094 │ braces       │ Uncontrolled resource consumption in braces        │ braces                                             │ high     │ https://github.com/advisories/GHSA-grv7-fg5c-xmjg │ y   ║

[2024-09-26T21:17:27.672Z] ║         │              │                                                    │ micromatch>braces                                  │          │                                                   │     ║

[2024-09-26T21:17:27.672Z] ║         │              │                                                    │ sass>braces                                        │          │                                                   │     ║

[2024-09-26T21:17:27.672Z] ║ 1096592 │ es5-ext      │ es5-ext vulnerable to Regular Expression Denial of │ es5-ext                                            │ low      │ https://github.com/advisories/GHSA-4gmj-3p3h-gm8h │ n   ║

[2024-09-26T21:17:27.672Z] ║         │              │ Service in `function#copy` and                     │                                                    │          │                                                   │     ║

[2024-09-26T21:17:27.672Z] ║         │              │ `function#toStringTokens`                          │                                                    │          │                                                   │     ║

[2024-09-26T21:17:27.672Z] ║ 1098681 │ micromatch   │ Regular Expression Denial of Service (ReDoS) in    │ anymatch>micromatch                                │ moderate │ https://github.com/advisories/GHSA-952p-6rrq-rcjv │ n   ║

[2024-09-26T21:17:27.672Z] ║         │              │ micromatch                                         │ findup-sync>micromatch                             │          │                                                   │     ║

[2024-09-26T21:17:27.672Z] ║         │              │                                                    │ matchdep>micromatch                                │          │                                                   │     ║

[2024-09-26T21:17:27.672Z] ║         │              │                                                    │ micromatch                                         │          │                                                   │     ║

[2024-09-26T21:17:27.672Z] ║         │              │                                                    │ readdirp>micromatch                                │          │                                                   │     ║

[2024-09-26T21:17:27.672Z] ║ 1094544 │ postcss      │ PostCSS line return parsing error                  │ postcss                                            │ moderate │ https://github.com/advisories/GHSA-7fh5-64p2-3v2j │ n   ║

[2024-09-26T21:17:27.672Z] ║ 1096727 │ request      │ Server-Side Request Forgery in Request             │ request                                            │ moderate │ https://github.com/advisories/GHSA-p8p7-x288-28g6 │ n   ║

[2024-09-26T21:17:27.672Z] ║ 1098563 │ semver       │ semver vulnerable to Regular Expression Denial of  │ semver                                             │ high     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │ n   ║

[2024-09-26T21:17:27.672Z] ║         │              │ Service                                            │                                                    │          │                                                   │     ║

[2024-09-26T21:17:27.672Z] ║ 1097682 │ tough-cookie │ tough-cookie Prototype Pollution vulnerability     │ tough-cookie                                       │ moderate │ https://github.com/advisories/GHSA-72xf-g2v4-qvf3 │ n   ║

[2024-09-26T21:17:27.673Z] ╚═════════╧══════════════╧════════════════════════════════════════════════════╧════════════════════════════════════════════════════╧══════════╧═══════════════════════════════════════════════════╧═════╝

[2024-09-26T21:17:27.673Z] 

[2024-09-26T21:17:27.673Z] 1 vulnerabilities found. Node security advisories: 1098563

[2024-09-26T21:17:27.673Z] npm ERR! code 1

[2024-09-26T21:17:27.673Z] npm ERR! path /srv/jenkins/workspace/pendencies_branches_rudder_8.1_3/datasources/src/main

[2024-09-26T21:17:27.673Z] npm ERR! command failed

[2024-09-26T21:17:27.673Z] npm ERR! command sh -c better-npm-audit "audit" "--level" "high" 

[2024-09-26T21:17:27.673Z] 

[2024-09-26T21:17:27.673Z] npm ERR! A complete log of this run can be found in:

[2024-09-26T21:17:27.673Z] npm ERR!     /home/jenkins/.npm/_logs/2024-09-26T21_17_27_454Z-debug.log

script returned exit code 1
Actions #1

Updated by Alexis Mousset 3 months ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset 3 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder-plugins/pull/759
Actions #3

Updated by Alexis Mousset 3 months ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Alexis Mousset 3 months ago

  • Fix check changed from To do to Checked
Actions

Also available in: Atom PDF