npm i eslint-config-airbnb-base results in 4 high severity vulnerabilities

[livinglogic-nl]

It seems installing eslint-config-airbnb-base includes some vulnerabilities:

npm uninstall eslint-config-airbnb-base

Output: found 0 vulnerabilities

npm install eslint-config-airbnb-base

Output: 4 high severity vulnerabilities

[ljharb]

What are those vulnerabilities?

Note that any "prototype pollution" vulns simply don't apply to usage in an eslint context.

[livinglogic-nl]

This is the output of npm audit (apparently it wants me to downgrade from 15.0.0 to 14.2.1 to fix):

Will install eslint-config-airbnb-base@14.2.1, which is a breaking change
node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      eslint-config-airbnb-base  >=15.0.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/eslint-config-airbnb-base

I'm not sure how to read this, but it looks that eslint-plugin-import is to blame for at least 3 of those vulnerabilities. 1 of them might still be caused by eslint-config-airbnb-base but not sure.

I'm assuming you're right about the prototype pollution not being an issue, but it would be great if we somehow could prevent these high severity vulnerabilities from popping up.

Otherwise we get used to red flags in the output, and not notice when something really is dangerous.

[ljharb]

json5 v1.0.2 has the fix, and the CVE just needs to be updated.

I agree with you, but since 99.99999% of CVE warnings in the JS ecosystem are false positives like this, it's pretty unavoidable.

[BGehrels]

I opened github/advisory-database#1548 in order to get the CVE fixed

[ljharb]

@BGehrels no need,github/advisory-database#1541 already exists.

again, the best thing for most people in the industry to do when there's a CVE is nothing. Just wait, things will shake out.

[ljharb]

json5 v1.0.2 has been released which fixes this CVE, and the github advisory PR is merged, so just update your lockfiles and you'll be fine.

[govind15496]

Hello @ljharb sir,

I have commented earlier in this section but my comment was put in spam section like this "Hey I'm a newcomer in this project I would like to contribute." So as you know by comment I am newcomer and I would like to contribute in this projetc.
Please assign some project give me something to work on.
Thanks

[ljharb]

@govind15496 ah, sorry - there was nothing for anyone to do here, and those kinds of comments are typically done in a spammy fashion.

In any project that has a "help wanted" or similar label, the best thing to do is just start looking at those. However, this project doesn't often require community contributions, so it's probably not the best one to start on - but if you're interested, I'd start here: https://github.com/airbnb/javascript/issues?q=is%3Aissue+is%3Aopen+label%3A%22pull+request+wanted%22

[govind15496]

Thanks