Security News > 2022 > July > Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree
Fixing indirect vulnerabilities is one of those complex, tedious and, quite frankly, boring tasks that no one really wants to touch.
You see, indirect dependencies are introduced deep down the dependency tree and it's very tricky to get to the exact version you want.
During the research phase of the graph-database project, or, how Debricked today fixes your open source vulnerabilities at the speed of light, the team stumbled upon some articles explaining how to fix indirect vulnerabilities in NPM. As stated in the article, the `minimist` package is affected by vulnerabilities, namely CVE-2021-44906 and CVE-2020-7598.
This regenerates the dependency tree with the latest possible version of your indirect dependencies.
The million-dollar question is: what version of `mocha` should be used, that in turn trickles down to a safe version of `minimist` without breaking the dependency tree? This is actually a graph problem, which has been described in this article.
By walking down the dependency graph and keeping the max versions, all while pruning all other versions of that package in each intersection, we can create an approximate representation of our dependency tree.
News URL
https://thehackernews.com/2022/07/solving-indirect-vulnerability-enigma.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-03-17 | CVE-2021-44906 | Unspecified vulnerability in Substack Minimist Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | 9.8 |
2020-03-11 | CVE-2020-7598 | minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. | 6.8 |