Summary
Our meow dependency (which we use for our CLI) depended on semver@5.7.1 . A vulnerability in this version of semver was recently identified and surfaced by npm audit:
Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
And my dependencies tree for semver show your package
├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and meow is only used on the CLI pathway.
⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older semver versions
The same security fix has been backported to older semver versions of 5.x and 6.x. See the CVE-2022-25883 details.
So, you can fix this vulnerability by just updating semver in your project's dependency tree, instead of updating stylelint. For details, see the example:
package.json:
{
"dependencies": {
"stylelint": "15.10.0"
}
}Run npm audit (here is no alert for semver):
$ npm ci
...
$ npm audit
...
stylelint 8.0.0 - 15.10.0
Stylelint has vulnerability in semver dependency - https://github.com/advisories/GHSA-f7xj-rg7h-mc87
fix available via `npm audit fix --force`
Will install stylelint@15.10.1, which is outside the stated dependency range
node_modules/stylelint
1 low severity vulnerability
...
$ npm ls semver
...
└─┬ stylelint@15.10.0
└─┬ meow@9.0.0
├─┬ normalize-package-data@3.0.3
│ └── semver@7.5.4
└─┬ read-pkg-up@7.0.1
└─┬ read-pkg@5.2.0
└─┬ normalize-package-data@2.5.0
└── semver@5.7.2
romainmenke Remediation developer
Summary
Our
meowdependency (which we use for our CLI) depended onsemver@5.7.1. A vulnerability in this version ofsemverwas recently identified and surfaced bynpm audit:Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
Details
Original post by the reporter:
"my npm audit show the report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
No fix available
And my dependencies tree for semver show your package
├─┬ stylelint@15.9.0
│ └─┬ meow@9.0.0
│ └─┬ read-pkg-up@7.0.1
│ └─┬ read-pkg@5.2.0
│ └─┬ normalize-package-data@2.5.0
│ └── semver@5.7.1 deduped
I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it."
Update your package to use the 'meow' version >=10"
PoC
N/A
Impact
We anticipate the impact to be low as Stylelint is a dev tool and
meowis only used on the CLI pathway.⬇️ EDITED AFTER PUBLISHED ⬇️
Security fix backported to older
semverversionsThe same security fix has been backported to older
semverversions of 5.x and 6.x. See the CVE-2022-25883 details.So, you can fix this vulnerability by just updating
semverin your project's dependency tree, instead of updatingstylelint. For details, see the example:package.json:{ "dependencies": { "stylelint": "15.10.0" } }Run
npm audit(here is no alert forsemver):