Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade resolve-url-loader to 3.1.2 to resolve Prototype Pollution vulnerability #18048

Closed
malkrad opened this issue Oct 20, 2020 · 4 comments · Fixed by #18064
Closed

upgrade resolve-url-loader to 3.1.2 to resolve Prototype Pollution vulnerability #18048

malkrad opened this issue Oct 20, 2020 · 4 comments · Fixed by #18064

Comments

@malkrad
Copy link

malkrad commented Oct 20, 2020
edited
Loading

Bug report

Describe the bug

resolve-url-loader is a production dependency inside next.
resolve-url-loader relies on adjust-sourcemap-loader as a production dependency.
adjust-sourcemap-loader relies on object-path as a production dependency.
object-path has a high severity vulnerability described here: https://www.npmjs.com/advisories/1573

To Reproduce

run 'npm audit'

Screenshot

image

Expected behavior

No high severity vulnerability inside production dependencies.

System information

  • OS: Windows
  • Version of Next.js: 9.5.5
  • Version of Node.js: 12.9.0

Additional context

Although the vulnerability inside the newest object-path version is fixed: https://github.com/mariocasciaro/object-path,
the author of adjust-sourcemap-loader decided to drop it and replace its function with direct coding here: bholloway/adjust-sourcemap-loader#17
resolve-url-loader is being updated here: bholloway/resolve-url-loader#172
The last step, after the update and upgrade of resolve-url-loader is ready, is to upgrade resolve-url-loader inside next dependencies to resolve the vulnerability.
@malkrad
Copy link
Author

malkrad commented Oct 20, 2020

resolve-url-loader is updated to 3.1.2: bholloway/resolve-url-loader#170 (comment)
Please consider upgrading the dependency inside package.json

@malkrad malkrad mentioned this issue Oct 20, 2020
Closed
@uneco uneco mentioned this issue Oct 20, 2020
Draft
@felipeguilhermefs felipeguilhermefs mentioned this issue Oct 20, 2020
Merged
@kodiakhq kodiakhq bot closed this as completed in #18064 Oct 20, 2020
kodiakhq bot pushed a commit that referenced this issue Oct 20, 2020
@felipeguilhermefs
Update resolve-url-loader to fix vulnerability (#18064)
d4f53ec 
Bump resolve-url-loader version to fix vulnerability. 

Fixes #18048
Related #18044
@tahtoh
Copy link

tahtoh commented Oct 23, 2020

hi, when i pull the latest next js version i still get 3.1.1 and its on the package.lock.json so i cant update it, how can i fix this.

@timneutkens
Copy link
Member

You can use next@canary for now. New stable will be out soon.

@balazsorban44
Copy link
Member

This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.

@vercel vercel locked as resolved and limited conversation to collaborators Jan 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@timneutkens @tahtoh @balazsorban44 @malkrad