mahara-contributors team mailing list archive

Thread
Date

[Bug 2003988] Re: glob-parent vulnerability

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <2003988@xxxxxxxxxxxxxxxxxx>
Date: Tue, 07 Mar 2023 20:14:15 -0000
Reply-to: Bug 2003988 <2003988@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Changed in: mahara
    Milestone: None => 23.04.0

** Changed in: mahara
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/2003988

Title:
  glob-parent vulnerability

Status in Mahara:
  Fix Committed

Bug description:
  glob-parent before 5.1.2 vulnerable to Regular Expression Denial of
  Service in enclosure regex

  - https://github.com/advisories/GHSA-ww39-953v-wcq6
  - https://nvd.nist.gov/vuln/detail/CVE-2020-28469
  - https://cwe.mitre.org/data/definitions/400.html

  In our third-party libraries, we are waiting for gulp to update their
  dependencies. However, it's been 3 years since their last update.
  Unsure if they will.

  Yet to be fixed: gulp - but not hopeful currently
  https://twitter.com/gulpjs/status/1564430489473077248?cxt=HHwWgMCqjbrP_LUrAAAA

  However, our CSS gets compiled from hardcoded sass files before webpages
  get loaded.

  mahara-themes@1.0.2 /.../.../code/mahara
  ├─┬ gulp@4.0.2 🚨
  │ ├─┬ glob-watcher@5.0.5
  │ │ └─┬ chokidar@2.1.8
  │ │   └── glob-parent@3.1.0 🚨
  │ └─┬ vinyl-fs@3.0.3
  │   └─┬ glob-stream@6.1.0
  │     └── glob-parent@3.1.0 deduped 🚨
  └─┬ sass@1.57.1
    └─┬ chokidar@3.5.3
      └── glob-parent@5.1.2 ✅

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/2003988/+subscriptions

References

[Bug 2003988] [NEW] glob-parent vulnerability
From: Doris Tam, 2023-01-27