Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Monitoring ua-parser-js package dependency #123

Open
ryank425 opened this issue Oct 24, 2021 · 5 comments
Open

Monitoring ua-parser-js package dependency #123

ryank425 opened this issue Oct 24, 2021 · 5 comments

Comments

@ryank425
Copy link

This package has ua-parser-js package as one of devDependencies, and this package is in package.json

"devDependencies": {
 ...
   "ua-parser-js": "^0.7.28",
   ...
 }

According to CISA,
CISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1
https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js

Is this package safe to bump up the version to 0.7.30 or higher? Does "^0.7.28" guarantee that this package will not install compromised versions on npm install?
@SimonAlling
Copy link

SimonAlling commented Oct 25, 2021
edited
Loading

Does "^0.7.28" guarantee that this package will not install compromised versions on npm install?

Well … not by itself, since ^0.7.28 means "any version with major 0, minor 7 and at least patch 28" (see npm's SemVer calculator).

But it seems like the malicious versions have been removed from npm, so ^0.7.28 should be safe in practice (but don't quote me on that).

$ npm install --save ua-parser-js@^0.7.28

added 1 package, and audited 2 packages in 545ms

1 package is looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ cat package.json 
{
  […]
  "dependencies": {
    "ua-parser-js": "^0.7.30"
  }
}

$ cat package-lock.json 
{
  […]
  "packages": {
    […]
    "node_modules/ua-parser-js": {
      "version": "0.7.30",
      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.30.tgz",
      "integrity": "sha512-uXEtSresNUlXQ1QL4/3dQORcGv7+J2ookOG2ybA/ga9+HYEXueT2o+8dUJQkpedsyTyCJ6jCCirRcKtdtx1kbg==",
      […]
    }
  },
  "dependencies": {
    "ua-parser-js": {
      "version": "0.7.30",
      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.30.tgz",
      "integrity": "sha512-uXEtSresNUlXQ1QL4/3dQORcGv7+J2ookOG2ybA/ga9+HYEXueT2o+8dUJQkpedsyTyCJ6jCCirRcKtdtx1kbg=="
    }
  }
}

$ npm install --save [email protected]
npm ERR! code ETARGET
npm ERR! notarget No matching version found for [email protected].
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

@kirakishin
Copy link

hello, in order to avoid potential compromised package, could you fix the version like this please :

"devDependencies": {
 ...
   "ua-parser-js": "0.7.28",
   ...
 }

@kirakishin
Copy link

kirakishin commented Oct 25, 2021
edited
Loading

i make this changes on my side, in order to avoid potential issue if a new release >=0.7.x is published again :

"resolutions": {
    "ua-parser-js": "0.7.28"
  }

@AlexanderWright
Copy link

According to the advisory, version 0.7.30 is fixed.

"devDependencies": {
 ...
   "ua-parser-js": ">=0.7.30",
   ...
 }

@jhiesey
Copy link
Owner

jhiesey commented Jan 15, 2022

I'll look into this soon. Sorry for the delay

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jhiesey @AlexanderWright @SimonAlling @kirakishin @ryank425