[security] Fix: Override minimatch@3 to 3.1.3 to resolve CVE-2022-3517#8167
Draft
PikkaPikkachu wants to merge 1 commit intomainfrom
Draft
[security] Fix: Override minimatch@3 to 3.1.3 to resolve CVE-2022-3517#8167PikkaPikkachu wants to merge 1 commit intomainfrom
PikkaPikkachu wants to merge 1 commit intomainfrom
Conversation
PikkaPikkachu
requested review from
acywatson,
etrepum,
fantactuka,
ivailop7,
potatowagon,
takuyakanbr and
zurfyx
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
meta-cla
bot
added
the
CLA Signed
PikkaPikkachu
force-pushed
the
fix/brace-expansion
branch
from
3320531 to
6dae9b0
Compare
minimatch < 3.1.3 has a HIGH severity ReDoS vulnerability via braceExpand. The vulnerable 3.1.2 is a transitive dependency of eslint@8, eslint-plugin-import, eslint-plugin-jsx-a11y, eslint-plugin-react, and docusaurus-lunr-search — none of which have released versions dropping minimatch@^3. Use pnpm overrides to pin minimatch@3 to the patched 3.1.3 in the root and three example package.json files.
PikkaPikkachu
force-pushed
the
fix/brace-expansion
branch
from
6dae9b0 to
eb1cddc
Compare
Collaborator
|
This should be low priority and is basically busywork, none of this code runs server-side or is shipped as part of lexical. eslint only runs locally and in CI so unexpectedly high CPU usage with untrusted input isn’t a problem of its own (in both cases you have access to run arbitrary code already and you’re not consuming input other than the code itself). Upgrading to a modern eslint would be a worthwhile task, but it would not be trivial. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why overrides?
minimatch < 3.1.3 has a HIGH severity ReDoS vulnerability (CVE-2022-3517) via the braceExpand function. The vulnerable version 3.1.2 is pulled in as a transitive dependency by several packages:
None of these packages have released a version that drops minimatch@^3.1.2. Even the latest releases of all three eslint plugins still depend on it. The override "minimatch@3": "3.1.3" targets only the 3.x resolution, bumping 3.1.2 to the backward-compatible patch 3.1.3. It does not affect minimatch@5.1.6, @9.0.5, or @10.1.1 used by other packages.
Test plan