breautek opened a new pull request #237: URL: https://github.com/apache/cordova-plugin-geolocation/pull/237
<!-- Please make sure the checklist boxes are all checked before submitting the PR. The checklist is intended as a quick reference, for complete details please see our Contributor Guidelines: http://cordova.apache.org/contribute/contribute_guidelines.html Thanks! --> ### Platforms affected ### Motivation and Context <!-- Why is this change required? What problem does it solve? --> <!-- If it fixes an open issue, please link to the issue here. --> Solves some reported vulnerabilities in our tooling: `found 9 vulnerabilities (6 moderate, 3 high)` <details> <summary>NPM Audit</summary> ```json { "actions": [ { "action": "update", "resolves": [ { "id": 1673, "path": "@cordova/eslint-config>eslint>inquirer>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>table>lodash", "dev": true, "optional": false, "bundled": false } ], "module": "lodash", "target": "4.17.21", "depth": 4 }, { "action": "update", "resolves": [ { "id": 1677, "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info", "dev": true, "optional": false, "bundled": false } ], "module": "hosted-git-info", "target": "2.8.9", "depth": 6 }, { "action": "update", "resolves": [ { "id": 1751, "path": "@cordova/eslint-config>eslint>glob-parent", "dev": true, "optional": false, "bundled": false } ], "module": "glob-parent", "target": "5.1.2", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse", "dev": true, "optional": false, "bundled": false } ], "module": "path-parse", "target": "1.0.7", "depth": 7 } ], "advisories": { "1673": { "findings": [ { "version": "4.17.20", "paths": [ "@cordova/eslint-config>eslint>inquirer>lodash", "@cordova/eslint-config>eslint>lodash", "@cordova/eslint-config>eslint>table>lodash" ] } ], "id": 1673, "created": "2021-05-06T16:14:39.514Z", "updated": "2021-05-06T16:24:12.299Z", "deleted": null, "title": "Command Injection", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "lodash", "cves": [ "CVE-2021-23337" ], "vulnerable_versions": "<4.17.21", "patched_versions": ">=4.17.21", "overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "recommendation": "Upgrade to version 4.17.21 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)\n- [GitHub Advisory](https://github.com/advisories/GHSA-35jh-r3h4-6jhm)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-LODASH-1040724)", "access": "public", "severity": "high", "cwe": "CWE-77", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1673"; }, "1677": { "findings": [ { "version": "2.8.8", "paths": [ "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info" ] } ], "id": 1677, "created": "2021-05-06T16:15:08.412Z", "updated": "2021-05-07T17:41:14.327Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "hosted-git-info", "cves": [ "CVE-2021-23362" ], "vulnerable_versions": "<2.8.9 || >=3.0.0 <3.0.8", "patched_versions": ">=2.8.9 <3.0.0 || >=3.0.8", "overview": "`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity", "recommendation": "Upgrade to version 3.0.8 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1677"; }, "1751": { "findings": [ { "version": "5.1.1", "paths": [ "@cordova/eslint-config>eslint>glob-parent" ] } ], "id": 1751, "created": "2021-06-07T21:57:10.135Z", "updated": "2021-06-07T21:58:07.745Z", "deleted": null, "title": "Regular expression denial of service", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "glob-parent", "cves": [ "CVE-2020-28469" ], "vulnerable_versions": "<5.1.2", "patched_versions": ">=5.1.2", "overview": "`glob-parent` before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.", "recommendation": "Upgrade to version 5.1.2 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-28469)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww39-953v-wcq6)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1751"; }, "1773": { "findings": [ { "version": "1.0.6", "paths": [ "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse" ] } ], "id": 1773, "created": "2021-08-10T15:59:47.884Z", "updated": "2021-08-10T16:00:43.559Z", "deleted": null, "title": "Regular Expression Denial of Service in path-parse", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "path-parse", "cves": [ "CVE-2021-23343" ], "vulnerable_versions": "<1.0.7", "patched_versions": ">=1.0.7", "overview": "Affected versions of `path-parse` are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", "recommendation": "Upgrade to version 1.0.7 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23343)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hj48-42vr-x3v9)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1773"; } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 6, "high": 3, "critical": 0 }, "dependencies": 0, "devDependencies": 210, "optionalDependencies": 0, "totalDependencies": 210 }, "runId": "c364ebfb-4d2d-44cf-bc90-9fc94b277870" } ``` </details> ### Description <!-- Describe your changes in detail --> ### Testing <!-- Please describe in detail how you tested your changes. --> Ran `npm test` ### Checklist - [x] I've run the tests to see all new and existing tests pass - [x] I added automated test coverage as appropriate for this change - [x] Commit is prefixed with `(platform)` if this change only applies to one platform (e.g. `(android)`) - [x] If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct [keyword to close issues using keywords](https://help.github.com/articles/closing-issues-using-keywords/)) - [x] I've updated the documentation if necessary -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
