Replace @pkg/nv with https.request call #27
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RafaelGSS
approved these changes
Nov 4, 2024
|
I'm going to merge & land it tomorrow |
|
Verified that v0.12.18$ npm install -g [email protected] && is-my-node-vulnerable
...
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v0.12.18 is end-of-life. There are high chances of being vulnerable. Please upgrade it.v4.9.1$ npm install -g [email protected] && is-my-node-vulnerable
...
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v4.9.1 is end-of-life. There are high chances of being vulnerable. Please upgrade it.v6.17.1$ npm install -g [email protected] && is-my-node-vulnerable
...
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v6.17.1 is end-of-life. There are high chances of being vulnerable. Please upgrade it.v8.17.0$ npx [email protected]
...
npx: installed 57 in 6.054s
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v8.17.0 is end-of-life. There are high chances of being vulnerable. Please upgrade it.v10.24.1$ npx [email protected]
npx: installed 57 in 2.901s
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v10.24.1 is end-of-life. There are high chances of being vulnerable. Please upgrade it.v12.22.12$ npx [email protected]
npx: installed 57 in 2.669s
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v12.22.12 is end-of-life. There are high chances of being vulnerable. Please upgrade it.v14.21.3$ npx [email protected]
npx: installed 57 in 3.499s
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v14.21.3 is end-of-life. There are high chances of being vulnerable. Please upgrade it.v16.20.2$ npx [email protected]
Need to install the following packages:
[email protected]
Ok to proceed? (y) y
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
v16.20.2 is end-of-life. There are high chances of being vulnerable. Please upgrade it.v18.17.0$ npx [email protected]
██████ █████ ███ ██ ██████ ███████ ███████
██ ██ ██ ██ ████ ██ ██ ██ ██ ██
██ ██ ███████ ██ ██ ██ ██ ███ █████ ███████
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ██ ██ ██ ████ ██████ ███████ ██ ██
The current Node.js version (v18.17.0) is vulnerable to the following CVEs:
CVE-2023-32002: The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
Patched versions: ^16.20.2 || ^18.17.1 || ^20.5.1
=
CVE-2023-32006: The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
Patched versions: ^16.20.2 || ^18.17.1 || ^20.5.1
=
CVE-2023-32559: The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file.
Patched versions: ^16.20.2 || ^18.17.1 || ^20.5.1
=
CVE-2023-45143(low): Cookie headers are not cleared in cross-domain redirect in undici-fetch (High)
Patched versions: ^18.18.2 || ^20.8.1
=
CVE-2023-44487(high): Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound causes denial of service (High)
Patched versions: ^18.18.2 || ^20.8.1
=
CVE-2023-38552(medium): Integrity checks according to experimental policies can be circumvented (Medium)
Patched versions: ^18.18.2 || ^20.8.1
=
CVE-2023-39333(low): Code injection via WebAssembly export names (Low)
Patched versions: ^18.18.2 || ^20.8.1
=
CVE-2023-46809(medium): A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling.
Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2
=
CVE-2024-21892(high): Code injection and privilege escalation through Linux capabilities
Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2
=
CVE-2024-22019(high): A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS).
Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2
=
CVE-2024-22025: A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.
Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2
=
CVE-2024-27983(high): An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Patched versions: ^18.20.1 || ^20.12.1 || ^21.7.2
=
CVE-2024-27982(medium): The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
Patched versions: ^18.20.1 || ^20.12.1 || ^21.7.2
=
CVE-2024-22020(medium): A security flaw in Node.js allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.
Patched versions: ^18.20.4 || ^20.15.1 || ^22.4.1
=v18.20.4$ npx [email protected]
█████ ██ ██ ██████ ██████ ██████ ██████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
███████ ██ ██ ██ ███ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ███████ ███████ ██████ ██████ ██████ ██████ ██ |
@RafaelGSS Land undici replacement first as Refs: #26 (comment) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refs: #19