upgrade downstream dependencies to fix decode-uri-component CVE-2022-38900 GHSA-w573-4hg7-7wgq

[c3ivodujmovic]

Version

14.21.2

Platform

Linux 19b7e582104e 5.19.0-26-generic #27-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 23 20:44:15 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

Node v14 includes npm v6, which in turn includes query-string <7.1.3 which includes the fixed decode-uri-component@0.2.1 for GHSA-w573-4hg7-7wgq GHSA-w573-4hg7-7wgq

Details
npm@6.14.17 node-v14.21.2-linux-x64/lib/node_modules/npm
└─┬ query-string@6.8.2
└── decode-uri-component@0.2.0
PoC
See base vulnerability GHSA-w573-4hg7-7wgq GHSA-w573-4hg7-7wgq

Impact
https://nvd.nist.gov/vuln/detail/CVE-2022-38900
GHSA-w573-4hg7-7wgq

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior?

No response

What do you see instead?

https://nvd.nist.gov/vuln/detail/CVE-2022-38900
GHSA-w573-4hg7-7wgq

Additional information

https://github.com/npm/cli/security/advisories/GHSA-5698-6q73-gp8h

Asked npm to fix v6: npm/cli#6010

[bnoordhuis]

Thanks for the report but no action is required on our part. The arrangement is that npm submits updates to us.

[c3ivodujmovic]

@bnoordhuis Hi Ben, It would seem to me that Node picked up the responsibility when Node decided to distribute with npm: specifically to assure that the code Node distributed does not contain vulnerabilities.

As is Node installation is spreading vulnerable code.

Since Node is distributing npm, Node needs to chase npm to fix the issues. Alternatively, Node should include a version of npm that does not have the vulnerabilities.

[bnoordhuis]

You're of course entitled to your opinions, just don't expect me or anyone else to agree with them.

sindresorhus/query-string#345 (comment) quite accurately summarizes the severity of this issue¹ and npm probably (and IMO rightly) dismissed it as such.

¹ tl;dr someone thought it was an awesome idea to bulk-file "foo is not a function" bugs as security vulnerabilities. Guess that's one way to build up a CVE count when you're an aspiring security researcher.

[c3lisalowery]

@ry + @Trott - Do you agree with @bnoordhuis that this CVE won't be fixed? We owe a customer a mitigation statement for this CVE so I want to make sure I'm accurately capturing reality.

[bnoordhuis]

The npm upgrade in #45936 contains a newer version of that dep.

[lukekarrys]

To reiterate the previous comment from @bnoordhuis, npm@6.14.18 contains decode-uri-component@0.2.2 which does not contain the vulnerability. And the PR linked (#45936) is being worked on by the release team to land npm@6.14.18 in the next release of node@14.