Fix CVE-2023-43646 get-func-name module security issue #1081
Conversation
|
@SanjalKatiyar , @bipuladh Please review |
TimothyAsirJeyasing
force-pushed
the
fix-cve-2023-43646
branch
from
5eab270 to
ec79e74
Compare
|
this is not a correct fix, assuming description of PR is correct and "broccoli-output-wrapper" is affected then you need to fix the existing package which is the cause of this instead of adding a new package directly to your dependencies. |
|
also u mentioned |
|
Sorry, its a sub dependency for broccoli-output-wrapper used by chai module |
can u send me the yarn.lock file's exact line (in our odf-console) where |
or maybe, the place where we are defining |
package.json
Outdated
| "@types/react-dnd-html5-backend": "^3.0.2", | ||
| "@types/lodash-es": "^4.17.4", | ||
| "buffer": "^6.0.3", | ||
| "get-func-name": "^2.0.1", |
There was a problem hiding this comment.
I don't understand the need to introduce a new package.
There was a problem hiding this comment.
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
The recent available version of broccoli-output-wrapper package holds a devDependency to chai ^4.2.0, which included a version of get-func-name vulnerable to CVE-2023-43646. This CVE is fixed in get-func-name version 2.0.1 and above and its fixed/the higher version used only in Chai version 4.3.10 (chaijs/chai#1540). I could see the entry of get-func-name only in node_modules/broccoli-output-wrapper/yarn.lock after i do yarn install. And i agree, we do not need this package and this CVE will not affect our component as we do not directly consume this anywhere.
The recent available version of broccoli-output-wrapper package holds a devDependency to chai ^4.2.0, which included a version of get-func-name vulnerable to CVE-2023-43646. This CVE is fixed in get-func-name version 2.0.1 and above. This PR fixes this issue by updating the Chai version 4.3.10. Signed-off-by: Timothy Asir Jeyasingh <[email protected]>
TimothyAsirJeyasing
force-pushed
the
fix-cve-2023-43646
branch
from
ec79e74 to
d64176c
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: TimothyAsirJeyasing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
bipuladh
left a comment
bipuladh
left a comment
There was a problem hiding this comment.
Why are we introducing chai?
|
odf-console is not affected by "get-func-name" for production environment, it just used as a internal dependency for chai. └─┬ [email protected] We are not at all using the packages chai or get-func-name and (we do not have any entry either in yarn.lock). Chai is used only as a dev-dependency for broccoli-output-wrapper. Initially i was a bit confused about the sub dependencies. There is no fix required for this. I will close this pr and move the bz to on-qa with this note. |
|
/close |
|
@TimothyAsirJeyasing: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
3 participants
broccoli-output-wrapper uses get-func-name module version 2.0.0 which has some security issues.
Its fixed in version 2.0.1.
Signed-off-by: Timothy Asir Jeyasingh [email protected]