Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Found: Missing Release of Resource after Effective Lifetime (SNYK-JS-INFLIGHT-6095116) #1053

Open
lacort opened this issue Oct 10, 2024 · 2 comments
Open

Vulnerability Found: Missing Release of Resource after Effective Lifetime (SNYK-JS-INFLIGHT-6095116) #1053

lacort opened this issue Oct 10, 2024 · 2 comments

Comments

@lacort
Copy link

lacort commented Oct 10, 2024

Hello !!

It has been identified that [email protected] introduces a missing release of resource after effective lifetime vulnerability via a transitive dependency. The vulnerability is linked to the package [email protected], as reported in the Snyk vulnerability database: SNYK-JS-INFLIGHT-6095116.

Vulnerability Path:

Severity: Medium Severity

Recommended Actions:

Currently, no patch or upgrade is available to address this vulnerability. I recommend that the team investigate possible mitigations, whether by updating or removing the affected transitive dependencies, or by finding alternative solutions to reduce the security risk.

Thank you for your attention to this issue.
@madugba
Copy link

madugba commented Oct 10, 2024
edited
Loading

This has been a major challenge for me, I try writing an alternative patch for it seems not to still work. I know this is not yet been exploited but I think an urgent update is needed.
inflight Missing Release of Resource after Effective Lifetime
And to the best of my knowledge, inflight is out dated and is not being maintained.

@ross-prangnell
Copy link

ross-prangnell commented Dec 11, 2024
edited
Loading

The maintainers of @mapbox/node-pre-gyp have been working on a new version which removes this packages as well as addressing a number of other older packages.
Good news is they've just published a RC for 2.0.0.
The main breaking change appears to be dropping support for non LTS versions of node (so >=18)
I don't know enough about the bcrypt build to see if it would be any issue upgrading, but I've tried overriding it locally and it works fine for me.
Don't like idea of forcing the override though so once stable v2 available would be good to get it upgraded here.
I can help with a PR here if required, although may need discussion around the compatibility issue.
Also noticed there was attempt to migrate away from node-pre-gyp, to use prebuildify but that seems to have stalled

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lacort @madugba @ross-prangnell