CVE-2021-44906 vulnerability in uri-js dependency #1978
Comments
|
@zekth have you had any problems with your replacement, that is now possible to use via options? Do you think it would be ok to switch to it in v9 completely? It's probably worth putting a comment somewhere that the default option has this vulnerability, and it is best to use another URI library in scenarios that may be affected (specifically, untrusted schemas). |
|
I had no bug feedback on this, we're using fast-uri by default in fastify v4. @mcollina could you confirm we don't have any issue since we merged it by default? |
|
We had no issues with fast-uri so far. We should also investigate why minimist is in there and where it is used. |
|
Is it perhaps good enough to use the built-in URL module of nodejs now? |
It does not provide the required featureset |
|
Another reason to leave |
The CVE-2021-44906 vulnerability is found in stale
uri-jsdependency. garycourt/uri-js#72The version of Ajv you are using
8.11.0
Operating system and node.js version
macos
16.15.0
Package manager and its version
npm 8.9.0
Link to (or contents of) package.json
{ "name": "", "version": "1.0.0", "description": "", "main": "server.js", "engines": { "node": ">=17.9.0", "npm": ">=8.9.0" }, "scripts": { "lint": "eslint . --fix", "test": "c8 mocha", "gitHooks": "chmod +x ./.scripts/hooks/pre-commit && git config core.hooksPath ./.scripts/hooks/" }, "license": "UNLICENSED", "dependencies": { "async": "^3.2.3", "axios": "^0.26.1", "dollars-to-cents": "^1.0.3", "fastify": "^3.29.0", "fastify-swagger": "^4.17.1", "http-status-codes": "^2.2.0", "luxon": "^2.4.0", "newrelic": "^8.10.0", "postgres": "^3.1.0", "redis": "^4.1.0", "winston": "^3.7.2" }, "devDependencies": { "@babel/eslint-parser": "^7.17.0", "@babel/plugin-syntax-import-assertions": "^7.16.7", "c8": "^7.11.2", "chai": "^4.3.6", "chai-as-promised": "^7.1.1", "dotenv": "^16.0.1", "eslint": "^8.15.0", "eslint-config-airbnb-base": "^15.0.0", "eslint-plugin-import": "^2.26.0", "eslint-plugin-jsdoc": "^39.2.9", "esm": "^3.2.25", "mocha": "^9.2.2", "proxyquire": "^2.1.3", "sinon": "^13.0.2" }, "babel": { "plugins": [ "@babel/plugin-syntax-import-assertions" ] } }Error messages
none
The output of
npm ls├── @babel/[email protected]
├── @babel/[email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
└── [email protected]
The text was updated successfully, but these errors were encountered: