CVE-2022-38900 fix for npm v6 #6010

c3ivodujmovic · 2022-12-31T01:57:19Z

query-string@7.1.3 see GHSA-5698-6q73-gp8h

c3ivodujmovic · 2023-01-18T20:27:42Z

@wraithgar @ruyadorno what do you guys recommend is the best way to address this issue?

lukekarrys · 2023-01-18T20:40:51Z

the npm team will audit the vulnerability and create a release for v6 if necessary. currently v6 is only being released with urgent security fixes.

c3ivodujmovic · 2023-01-18T21:16:04Z

Thanks @lukekarrys . Tell me if there is anything I can help.

Background
High CVE https://nvd.nist.gov/vuln/detail/CVE-2022-38900 Improper Input Validation resulting in DoS
Fixed via decode-uri-component update from 0.2.0 to 0.2.1
The latest node version 14.21.2 (LTS) includes this offending code:
(bash)# npm list decode-uri-component
npm@6.14.17 /home/c3/node-v14.21.2-linux-x64/lib/node_modules/npm
└─┬ query-string@6.8.2
└── decode-uri-component@0.2.0

lukekarrys · 2023-01-21T00:16:52Z

npm@6.14.18 was released 2022-12-21 which contains decode-uri-component@0.2.2.

└─┬ npm@6.14.18
  └─┬ query-string@6.14.1
    └── decode-uri-component@0.2.2

There is an open PR to land this change in node 14 which can be followed to track the progress there: nodejs/node#45936

darcyclarke and others added 30 commits November 14, 2022 16:20

updated lockfile

be23b61

glob@7.2.0

382d72b

minimatch@3.0.5

9918f59

rimraf@2.7.1

f55bd65

bluebird@3.7.2

cd48946

cacache@12.0.4

023d7e9

config-chain@1.1.13

dd2811c

deep-equal@1.1.1

e21b6eb

dezalgo@1.0.4

2bec581

figgy-pudding@3.5.2

2734851

glob@7.2.3

720f8ae

graceful-fs@4.2.10

5f1200e

is-cidr@3.1.1

58b74a3

jsdom@16.7.0

4b60965

lock-verify@2.2.1

8fe80a2

meant@1.0.3

14c7a1a

minimatch@3.1.2

06d9cef

mkdirp@0.5.6

1d2da35

node-gyp@5.1.1

22eda3a

npm-registry-mock@1.3.2

b77a7f1

query-string@6.14.1

de37398

qw@1.0.2

196650b

read-package-json@2.1.2

3218c16

request@2.88.2

0f5d579

safe-buffer@5.2.1

43ed5c2

tar-stream@2.2.0

31b51c5

uuid@3.4.0

209a79d

yaml@1.10.2

4778a8d

updated lockfile

442ff7a

chore: update expected integrity value in test

f391ca8

ruyadorno and others added 11 commits December 21, 2022 11:37

chore: should only lint source

0437207

chore: cleanup lockfile

f521320

chore: minimatch is not a dep

db32f16

decode-uri-component@0.2.2

8b357e5

lock-verify@2.2.2

d3e7eed

chore: remove verify no scoped test

0a5f8d9

chore: remove gh legacy url test

ade941c

docs: changelog for v6.14.18

771245f

update AUTHORS

04cb2c7

6.14.18

1314dc0

update query-string re GHSA-5698-6q73-gp8h CVE-2022-38900

5a97385

c3ivodujmovic requested a review from a team as a code owner December 31, 2022 01:57

c3ivodujmovic mentioned this pull request Dec 31, 2022

upgrade downstream dependencies to fix decode-uri-component CVE-2022-38900 GHSA-w573-4hg7-7wgq nodejs/node#46026

Closed

wraithgar closed this Jan 2, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-38900 fix for npm v6 #6010

CVE-2022-38900 fix for npm v6 #6010

c3ivodujmovic commented Dec 31, 2022 •

edited

Loading

c3ivodujmovic commented Jan 18, 2023

lukekarrys commented Jan 18, 2023

c3ivodujmovic commented Jan 18, 2023 •

edited

Loading

lukekarrys commented Jan 21, 2023

CVE-2022-38900 fix for npm v6 #6010

CVE-2022-38900 fix for npm v6 #6010

Conversation

c3ivodujmovic commented Dec 31, 2022 • edited Loading

c3ivodujmovic commented Jan 18, 2023

lukekarrys commented Jan 18, 2023

c3ivodujmovic commented Jan 18, 2023 • edited Loading

lukekarrys commented Jan 21, 2023

c3ivodujmovic commented Dec 31, 2022 •

edited

Loading

c3ivodujmovic commented Jan 18, 2023 •

edited

Loading