Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update http-cache-semantics package #159

Merged
merged 5 commits into from
Feb 6, 2023
Merged

Update http-cache-semantics package #159

merged 5 commits into from
Feb 6, 2023

Conversation

trevor-scheer
Copy link
Member

@trevor-scheer trevor-scheer commented Feb 6, 2023
edited
Loading

Update http-cache-semantics package to latest patch, resolving a security issue. Unlike many security updates Apollo repos receive, this is an actual (non-dev) dependency of this package which means it is actually a user-facing security issue.

The potential impact of this issue is limited to a DOS attack (via an
inefficient regex).

This security issue would only affect you if either:

  • you pass untrusted (i.e. from your users) cache-control request headers
  • you sending requests to untrusted REST server that might return malicious
    cache-control headers

Since http-cache-semantics is a careted (^) dependency in this package, the security issue can (and might already) be resolved via a package-lock.json update within your project (possibly triggered by npm audit or another dependency update which has already updated its version of the package in question). If npm ls http-cache-semantics reveals a tree of dependencies which only include the 4.1.1 version (and no references to any previous versions) then you are currently unaffected and this patch should have (for all intents and purpose) no effect.

More details available here: GHSA-rc47-6667-2j5j

@trevor-scheer
Resolve security notice for http-cache-semantics package
f4b664b 
GHSA-rc47-6667-2j5j

The `http-cache-semantics` used an inefficient regex for
trimming whitespace from header keys and values, providing
a DOS attack vector.
@trevor-scheer
changeset
54dec73
@codesandbox-ci
Copy link

codesandbox-ci bot commented Feb 6, 2023
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

@trevor-scheer trevor-scheer merged commit ee018a7 into main Feb 6, 2023
@trevor-scheer trevor-scheer deleted the trevor/update-cache-package branch February 6, 2023 22:09
@github-actions github-actions bot mentioned this pull request Feb 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@trevor-scheer