js-yaml dependency below 4.1.1 has prototype pollution in merge

[chrstrock]

load-nyc-config has a dependency on js-yaml below 4.1.1, which has a fix for this vulnerability: GHSA-mh29-5h37-fv8m

Proposed solution: update dependency to 4.1.1 and address any necessary code changes.

[melroy89]

Yep, this is a production dependency mind you.

I tried to fork and clone this repo.. npm install said:

50 vulnerabilities (4 low, 16 moderate, 26 high, 4 critical)

Of course that also includes development packages.. The only production vulnerability (moderate) is js-yaml mentioned above.

Yet, maybe a simple update of all packages can't hurt? Of course there are many major release updates.

Package           Current   Wanted  Latest  Location                       Depended by
camelcase           5.3.1    5.3.1   9.0.0  node_modules/camelcase         load-nyc-config
find-up             4.1.0    4.1.0   8.0.0  node_modules/find-up           load-nyc-config
js-yaml            3.14.1   3.14.1   4.1.1  node_modules/js-yaml           load-nyc-config
semver              6.3.1    6.3.1   7.7.3  node_modules/semver            load-nyc-config
standard-version    7.1.0    7.1.0   9.5.0  node_modules/standard-version  load-nyc-config
tap               14.11.0  14.11.0  21.1.3  node_modules/tap               load-nyc-config
xo                 0.25.4   0.25.4   1.2.3  node_modules/xo                load-nyc-config

Usage of js-yaml is only here in the index.js file:

return require('js-yaml').load(await readFile(configFile, 'utf8'));

[chrstrock]

@melroy89 , @eemeli, is the repo still maintained? Will anyone actually be approving these PRs? Main hasn't been updated in 5 years.

[melroy89]

I don't know..

according to #20 its feature complete and @bcoe says it will fix security bugs/security patches. I hope so, after 5 years this package gets an update hopefully.

[chrstrock]

FWIW, I did a workaround in my repo using "overrides" in my package.json to use js-yaml 4.1.1: https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides

[chrstrock]

@coreyfarrell , is this repo actively maintained? js-yaml has a vulnerability.

[chrstrock]

FYI, this is a transitive dependency (buried in the tree, mind you) to Jest itself. Could have rippling effects. Looks like the enterprise version of this was bought by Tidelift, then Sonar (creators of SonarQube) bought Tidelift. This could mean that Jest is going to have to seek an alternative dependency and do some code changes. Hopefully not, but....

[TulioPintoNeto]

As this is under istanbuljs team, I believe this will get its update, it's just a matter of getting someone from the team here. I don't see recent commits in @coreyfarrell account so I'd guess he's not active anymore.

@bcoe may be able to reply us, but I've also pinged SimenB, which seems to be maintaining babel-plugin-istanbul, which is another repository under the istanbuljs team

[SimenB]

Hey folks 👋 while I have push access in most Istanbul packages, I don't have it in this one... Lemme try to ping some folks (I have done that on and off for months, but maybe this time it reaches people)

[SimenB]

That said, I might need to fork all the Istanbul packages into the jest org on GitHub and npm to unblock. Let's see if I can get access first, though

[TulioPintoNeto]

Let's know if you need any help with that, I'm pretty sure there's lots of people here keen on helping to fix that issue