Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086

Closed
sdavids opened this issue Sep 15, 2024 · 14 comments
Closed

Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086

sdavids opened this issue Sep 15, 2024 · 14 comments

Comments

@sdavids
Copy link

sdavids commented Sep 15, 2024

$ mkdir /tmp/test && cd "$_"
$ npm i --save-dev browser-sync@3.0.2
$ npm audit
# npm audit report

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install browser-sync@2.26.2, which is a breaking change
node_modules/send
  browser-sync  >=2.12.1
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/browser-sync
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static


3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
@sdavids sdavids changed the title Publish a new release with send >= 0.19.0 Publish a new release with send >= 0.19.0; CVE-2024-43799 Sep 15, 2024
@max-holland
Copy link

+1

@yokoishioka
Copy link

I just submitted a PR for this and to resolve the one for sever-static as well: #2087

@rmch91
Copy link

rmch91 commented Sep 18, 2024

+1

@shakyShane
Copy link
Contributor

I'll sort this later today, thanks :)

@rmch91
Copy link

rmch91 commented Sep 23, 2024

Hello, any updates on this?

@shakyShane
Copy link
Contributor

#2088

@shakyShane
Copy link
Contributor

browser-sync@3.0.3

@sdavids
Copy link
Author

sdavids commented Sep 24, 2024

@sdavids
Copy link
Author

sdavids commented Sep 24, 2024

If the CHANGELOG is obsolete then it should be mentioned in the file's header.

@sdavids
Copy link
Author

sdavids commented Sep 24, 2024

On a side note:

Not publishing proper changes opens the door to supply-chain attacks, cf. xz fiasco.

@shakyShane
Copy link
Contributor

https://github.com/BrowserSync/browser-sync/releases/tag/v3.0.3

  • changelog deleted

Not publishing proper changes opens the door to supply-chain attacks, cf. xz fiasco.

Can you explain your concern a little further? In terms of publishing this package to npm - I still do it manually to this day exactly so I can be sure what goes into each - but perhaps you're talking about some other angle?

@sdavids
Copy link
Author

sdavids commented Sep 24, 2024

I guess

"generate-changelog": "^1.7.0",

could be deleted as well then.

@sdavids
Copy link
Author

sdavids commented Sep 24, 2024

What I mentioned was:

There is a new version published to NPM and one cannot find any release notes/change log.

Reading the release notes should be the minimum one does before upgrading.

But some people do not care or use non-pinned versions 🤷


Maybe you might want to use provenance in the future:

https://docs.npmjs.com/searching-for-and-choosing-packages-to-download#package-provenance

https://docs.npmjs.com/generating-provenance-statements

https://jsr.io/docs/trust

@sdavids
Copy link
Author

sdavids commented Sep 24, 2024

$ npm audit signatures

is useless in a way though.

Unless you use ignore-scripts with npm i, ideally in your global .npmrc:

ignore-scripts=true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants