[NPMCLI-198] high-severity security vulnerability "npm:adm-zip:20180415" Created: 19/Dec/18 Updated: 12/Mar/19 Resolved: 11/Mar/19 |
|
| Status: | Closed |
| Project: | Magnolia CLI |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 3.0.7 |
| Type: | Bug | Priority: | Major |
| Reporter: | Samantha Mannino | Assignee: | Federico Grilli |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Template: |
|
||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||||||
| Release notes required: |
Yes
|
||||||||||||||||
| Date of First Response: | |||||||||||||||||
| Epic Link: | Support | ||||||||||||||||
| Sprint: | Foundation 6 | ||||||||||||||||
| Story Points: | 3 | ||||||||||||||||
| Description |
|
Magnolia cli has a dependency on an old version of adm-zip which has a security vulnerability. More info here: https://snyk.io/vuln/npm:adm-zip:20180415 Please update the dependency, so that I can have magnolia-cli approved by my security team. |
| Comments |
| Comment by Christopher Zimmermann [ 19/Dec/18 ] |
|
Need to be careful that in solving this issue we do not run into the same problem as |
| Comment by Samantha Mannino [ 18/Jan/19 ] |
|
Hey! Any update on this issue? Really looking forward to be able to make use of Magnolia-CLI |
| Comment by Samantha Mannino [ 15/Feb/19 ] |
|
Hello again! Still really looking forward to being able to use this! I have a new person joining in a couple weeks and would like them to get started with magnolia with the cli at their disposal. Please let me know if there is anything I can do to help! |
| Comment by Christopher Zimmermann [ 18/Feb/19 ] |
|
Resolving this is a little complicated since a recent adm-zip version was broken and so we needed to pin an earlier version. (See https://jira.magnolia-cms.com/browse/NPMCLI-182) Its possible that the problem is resolved in adm-zip with this https://github.com/cthackers/adm-zip/pull/238. So we should simply try the latest adm-zip (0.4.13) and doublecheck that it does not cause the issue in |
| Comment by Christopher Zimmermann [ 11/Mar/19 ] |
|
Please test fix on Windows. |
| Comment by Federico Grilli [ 11/Mar/19 ] |
|
Apparently the latest adm-zip (0.4.13 at the moment of writing this) still doesn't solve the issue for which we had to pin it to an earlier version. The issue was supposedly solved by https://github.com/cthackers/adm-zip/pull/238 which should have ended up in 0.4.12 but that was never released, whereas 0.4.13 code is missing from their git repo https://github.com/cthackers/adm-zip/issues/271. One side remark on https://snyk.io/vuln/npm:adm-zip:20180415 - apparently that wasn't caught by npm audit which is rather odd. |
| Comment by Federico Grilli [ 12/Mar/19 ] |
|
Sam Hi, cli 3.0.7 was just released on npm public repo and it contains the fix for this issue https://www.npmjs.com/package/@magnolia/cli Cheers, Federico for the Magnolia team
|