Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential vulnerability in eslint-import-resolver-node due to memory leak in debug < 4.3.0 #2672

Closed
cmotsn opened this issue Jan 13, 2023 · 1 comment

Comments

@cmotsn
Copy link

cmotsn commented Jan 13, 2023

Hi,
I'll start by mentioning that this is not the same regexp vulnerability CVE-2017-20165 as mentioned in 2657, 2658 and 2659.

This potential vulnerability has been found by the Checkmarx tool (see the example section in this page) in debug package, due to a memory leak issue that was fixed in debug 4.3.0 (and sadly not backported to 3.x).

I have no idea whether or not this potential vulnerability is confirmed in the eslint-import-resolver-node package.

@ljharb
Copy link
Member

ljharb commented Jan 13, 2023

A memory leak isn't automatically a vulnerability - in this case, your own linting run could have a problem, but it's not an attack or a vulnerability.

As such, while it'd be great if the fix was backported to debug v3, I don't consider it an argument in favor of a breaking change.

@ljharb ljharb closed this as not planned Won't fix, can't repro, duplicate, stale Jan 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants