Fixed
Status Update
No update yet.
Comments
di...@andric.com
The xmljs problem was already reported by someone else, but no these other npm packages. Similarly to the other issue, I'm CC'ing River Riddle who seems to be the most obvious maintainer of the mlir vscode plugin, but for the llvm vscode plugin it is not entirely clear who the maintainer is. Does anybody in llvm-security@ have an idea who the best persons are to pick this up?
[Deleted User] <[Deleted User]>
AFAICT the llvm package dependencies were added by Yuanfang Chen, on my team, and never modified since. I doubt he considers himself an owner/maintainer but he's the one who touched it last. :)
CC'ing him about this.
CC'ing him about this.
[Deleted User] <[Deleted User]>
I've updated the llvm vscode plugin. Thanks.
[Deleted User] <[Deleted User]>
d54ad0b6cd7c7be24062014367fcd0c3f525c7ec
di...@andric.com
Thanks Yuanfang Chen! (Link to actual commit: <https://github.com/llvm/llvm-project/commit/d54ad0b6cd7c7be24062014367fcd0c3f525c7ec >)
@doronin.maxim.unn, please verify that the dependencies are now up-to-date, and if there is still something off, please re-open.
@doronin.maxim.unn, please verify that the dependencies are now up-to-date, and if there is still something off, please re-open.
do...@gmail.com
Hello! Thanks for contribution!
As I see only llvm/utils/vscode/llvm/package-lock.json has been updated withinhttps://github.com/llvm/llvm-project/commit/d54ad0b6cd7c7be24062014367fcd0c3f525c7ec
However, there're still outdated dependencies with security issues in
*https://github.com/llvm/llvm-project/blob/main/mlir/utils/vscode/package-lock.json
*https://github.com/llvm/llvm-project/blob/main/llvm/utils/git/requirements.txt
As I see only llvm/utils/vscode/llvm/package-lock.json has been updated within
However, there're still outdated dependencies with security issues in
*
*
do...@gmail.com
> if there is still something off, please re-open.
Could you please re-open in accordance to my previous comment above?
Could you please re-open in accordance to my previous comment above?
di...@andric.com
[Empty comment from Monorail migration]
di...@andric.com
yuanfang.chen@sony.com, could you please take a look at updating mlir/utils/vscode/package-lock.json in a similar manner to what you did for <https://github.com/llvm/llvm-project/commit/d54ad0b6cd7c7be24062014367fcd0c3f525c7ec >? I have limited experience with npm, otherwise I would do it myself. :)
As for llvm/utils/git/requirements.txt, <https://github.com/llvm/llvm-project/commit/14e4d92f8d0788a8f24d64727f6821aab05bbf54 > updated certifi to 2022.9.24, which was the latest version at the time, but it has not been touched since. I ran "pip-compile -o requirements.txt requirements.txt.in " in that directory but it did not update any of the minor versions, for reasons unknown. Still needs to be investigated.
As for llvm/utils/git/requirements.txt, <
[Deleted User] <[Deleted User]>
[Deleted User] <[Deleted User]>
do...@gmail.com
> To bump xml2js version, it has to wait until https://github.com/microsoft/vscode-vsce/commit/2e4a3172d2a7f3f6c113927deafcc9bdb60eed8e is merged into the next vsce release.
Hi! As I see some other projects has already migrated to vsce 2.19.0 (https://go.googlesource.com/vscode-go/+/9ea51b002a369cbeabcf627f974327d525208865%5E%21/#F0 for intsanse). Can it be updated in llvm as well now?
Hi! As I see some other projects has already migrated to vsce 2.19.0 (
Description
## minimatch (npm) < 3.0.5
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
[mlir/utils/vscode/package-lock.json ](
[llvm/utils/vscode/llvm/package-lock.json](
## minimist (npm) < 0.2.4
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). (< 0.2.4)
Affected versions of npm package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. (< 0.2.1)
[llvm/utils/vscode/llvm/package-lock.json](
## certifi (pip) < 2022.12.07
Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store.
TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found [here](
[llvm/utils/git/requirements.txt](
## qs (npm) < 6.10.3
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
[mlir/utils/vscode/package-lock.json](
## path-parse (npm) < 1.0.7
Affected versions of npm package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
[llvm/utils/vscode/llvm/package-lock.json](
## xml2js (npm) < 0.5.0
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
The latest possible version that can be installed is 0.4.23 because of the following conflicting dependencies:
```
vsce@2.7.0 requires xml2js@^0.4.23
No patched version available for xml2js
```
The earliest fixed version is 0.5.0.
[mlir/utils/vscode/package-lock.json](