-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-f7xj-rg7h-mc87] Stylelint has vulnerability in semver dependency #2491
[GHSA-f7xj-rg7h-mc87] Stylelint has vulnerability in semver dependency #2491
Conversation
Hi there @ofrolenko and @ybiquitous! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a few questions:
- What happens after this update to blank like
0.0.0
versions? - Should we leave an advisory comment about this update to tell people the reason?
- What is the difference between
0
and0.0.0
?
I'm not sure what you mean by this, but the result of this update will be that no versions of stylelint will be flagged as vulnerable.
The fact that the affected version ranges have changed should be enough by itself - my comment will also be visible in the improvement log for the advisory.
"0" indicates "the first version of the package" - effectively a bottomless range as its common for vulnerabilities to be discovered as existing in all versions before the initial patch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@G-Rath Thanks for the instant answers. I now understand this change well. LGTM.
Question on this from my end @G-Rath . Shouldn't the upper end of the range be |
Either way, this CVE is on semver, not stylelint, so I'm not sure why this has an entry at all. Stylelint doesn't ship a vulnerability, they just ship instructions to tell the end user to download another dependency that happens to be vulnerable. |
This advisory doesn't have a CVE. It's independent and created to reflect the repo advisory created by the package author. The semver cve is listed on GHSA-c2qf-rxjj-qqgw |
An advisory on something for a transitive dep of it doesn't make sense either. |
So this advisory already has |
When the advisory was originally released, the Now that it has been backported however, no versions of stylelint will result in a vulnerable version of I agree with @ljharb which is why I originally recommended the advisory be withdrawn especially since the backports were on their way - however GitHub Support said that the advisory should not be withdrawn, and @ybiquitous wanted to follow their recommendation even after the backports had been released and it was confirmed that no version of stylelint would pull in a vulnerable version of |
I see. I was unaware of the reach out to support though digging back I do see the conversation. @ybiquitous how would you like to handle this situation? We can withdraw the global advisory if you like, but so far as I am concerned if you would like to leave it up for whatever reason then we will respect that. To the IMO zeroing out the affected version range would make for more confusion than withdrawing the advisory with the versions intact. |
Thanks for the comments, everyone.
To be honest, I'm unsure whether we should keep the advisory to provide the latest information for people or withdraw it to prevent false security alerts from tools (e.g. Dependabot). I have wanted to keep it just because GitHub support recommends it, and if many people think keeping is inconvenient, I'm not strongly against withdrawing. Just in case, I'll ask GitHub Support again. |
In hindsight Stylelint should have never created the advisory, thus if the recommendation is to remove it and remove confusion let's do that |
@ntwb Thanks for the comment. I've just received an answer from GitHub Support, but it has not a strong recommendation. So, I agree with withdrawing this advisory. It is more beneficial for many people. @darakian Sorry to bother you, but could you please start withdrawing the advisory? Please let me know if I need to do anything. |
No bother at all. I'll withdraw the global advisory on our end which will stop any future alerts. The repo advisory on the stylelint repo will be untouched, but feel free to update that as you see fit 👍 Edit: Thank you all for the input and @ybiquitous thank you for being proactive with alerting your users! 😄 |
Updates
Comments
Update ranges to reflect that stylelint is no longer vulnerable