-
Notifications
You must be signed in to change notification settings - Fork 26.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm i eslint-config-airbnb-base
results in 4 high severity vulnerabilities
#2703
Comments
What are those vulnerabilities? Note that any "prototype pollution" vulns simply don't apply to usage in an eslint context. |
This is the output of npm audit (apparently it wants me to downgrade from 15.0.0 to 14.2.1 to fix):
I'm not sure how to read this, but it looks that eslint-plugin-import is to blame for at least 3 of those vulnerabilities. 1 of them might still be caused by eslint-config-airbnb-base but not sure. I'm assuming you're right about the prototype pollution not being an issue, but it would be great if we somehow could prevent these high severity vulnerabilities from popping up. Otherwise we get used to red flags in the output, and not notice when something really is dangerous. |
json5 v1.0.2 has the fix, and the CVE just needs to be updated. I agree with you, but since 99.99999% of CVE warnings in the JS ecosystem are false positives like this, it's pretty unavoidable. |
I opened github/advisory-database#1548 in order to get the CVE fixed |
@BGehrels no need,github/advisory-database#1541 already exists. again, the best thing for most people in the industry to do when there's a CVE is nothing. Just wait, things will shake out. |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
json5 v1.0.2 has been released which fixes this CVE, and the github advisory PR is merged, so just update your lockfiles and you'll be fine. |
Hello @ljharb sir, I have commented earlier in this section but my comment was put in spam section like this "Hey I'm a newcomer in this project I would like to contribute." So as you know by comment I am newcomer and I would like to contribute in this projetc. |
@govind15496 ah, sorry - there was nothing for anyone to do here, and those kinds of comments are typically done in a spammy fashion. In any project that has a "help wanted" or similar label, the best thing to do is just start looking at those. However, this project doesn't often require community contributions, so it's probably not the best one to start on - but if you're interested, I'd start here: https://github.com/airbnb/javascript/issues?q=is%3Aissue+is%3Aopen+label%3A%22pull+request+wanted%22 |
Thanks |
It seems installing eslint-config-airbnb-base includes some vulnerabilities:
Output: found 0 vulnerabilities
Output: 4 high severity vulnerabilities
The text was updated successfully, but these errors were encountered: