clone-deep icon indicating copy to clipboard operation
clone-deep copied to clipboard
verified publisher icon jonschlinkert

Bump kind-of version for CVE-2019-20149

Open adelyafatykhova opened this issue 6 years ago • 4 comments

Description

Due to CVE-2019-20149, a new version of kind-of has been released.

Since clone-deep uses 6.0.2, this raises security flags.

FYI @jonschlinkert @doowb could you take care of this and release a new version of this package?

adelyafatykhova avatar Jan 22 '20 13:01 adelyafatykhova

Thanks for the PR, but this isn't necessary right now. 6.0.3 will automatically be used due to the semver range. When other changes are made to this package, we'll merge it in at that time.

doowb avatar Jan 22 '20 16:01 doowb

@doowb sounds good. However, I think as long as 6.0.2 is mentioned in the package.json this will be reported as an issue using security scan tools.

For example, a report using Whitesource from today continues to flag clone-deep as using kind-of v6.0.2, even with 6.0.3 available

image

However, weirdly enough the vulnerability is no longer found in the whitesource vulnerabilities list so perhaps the report issue will go away soon as well

https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-20149/

adelyafatykhova avatar Jan 23 '20 10:01 adelyafatykhova

Yeah but that’s really a failing of those tools and an encumbrance on maintainers, isn’t it?

Sent from my iPhone

On Jan 23, 2020, at 5:52 AM, Adelya Fatykhova [email protected] wrote:

@doowb sounds good. However, I think as long as 6.0.2 is mentioned in the package.json this will be reported as an issue using security scan tools.

For example, the report using Whitesource continues to flag clone-deep as using kind-of v6.0.2, even with 6.0.3 available

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

jonschlinkert avatar Jan 23 '20 16:01 jonschlinkert

this isn't necessary right now. 6.0.3 will automatically be used

that’s really a failing of those tools

This isn't how semver ranges work, and it isn't a failing of those tools; the tools are correct.

clone-deep specifying that 6.0.2 is an acceptable version means that the clone-deep package is telling package managers it can and will work with the vulnerable version of kind-of. Package managers will usually use 6.0.3 (or the latest patch version) but may select a lower version for use depending on their dependency-resolution options: e.g. they may de-dupe multiple package dependencies of various packages if kind-of is used in multiple places.

clone-deep is vulnerable by not explicitly requiring a secure version of kind-of in package.json

edwardgalligan avatar Mar 16 '20 12:03 edwardgalligan

Closing based on age and since this is 100% the responsibility and/or failing of the package manager.

jonschlinkert avatar Jul 12 '23 23:07 jonschlinkert