dns-packet Dependency - Security bump required for webpack-dev-server 3.11.2 #3340
Comments
|
If anyone has their builds failing because of this or something and happens to be using yarn, "resolutions": {
"multicast-dns": "7.2.3"
}in package.json remediates the audit error. That could be a breaking change for some multicast-dns-using features of webpack-dev-server of course, but at least basic dev server functionality is still working fine for us. |
|
We can't fix it on our side, please track it here watson/bonjour#63 |
|
|
https://www.npmjs.com/package/@homebridge/ciao could be a possible bonjour replacement |
|
Also there is an active fork that might be a possibility: https://github.com/onlxltd/bonjour-service |
|
If the problem will not be fixed to our |
Our web development environment has a dependency on webpack-dev-server, which pulls in bonjour, which pulls in multicast-dns, which depends on dns-packet, which has a [critical security vulnerability][1]. webpack/webpack-dev-server#3340 tracks fixing this dependency, but it appears that the bonjour project is no longer maintained. This change works around this issue by patching the multicast-dns dependency to pull in a fixed version. This could potentially break mdns functionality in our development environment, but we probably don't even use this functionality. Dependencies are bad. [1]: https://nvd.nist.gov/vuln/detail/CVE-2021-23386
Our web development environment has a dependency on webpack-dev-server, which pulls in bonjour, which pulls in multicast-dns, which depends on dns-packet, which has a [critical security vulnerability][1]. webpack/webpack-dev-server#3340 tracks fixing this dependency, but it appears that the bonjour project is no longer maintained. This change works around this issue by patching the multicast-dns dependency to pull in a fixed version. This could potentially break mdns functionality in our development environment, but we probably don't even use this functionality. Dependencies are bad. [1]: https://nvd.nist.gov/vuln/detail/CVE-2021-23386
webpack/webpack-dev-server#3340 -> webpack-dev-server -> bonjour (5 year old abandoned package) -> multicast-dns -> dns-packet. JS is fun
Our web development environment has a dependency on webpack-dev-server, which pulls in bonjour, which pulls in multicast-dns, which depends on dns-packet, which has a [critical security vulnerability][1]. webpack/webpack-dev-server#3340 tracks fixing this dependency, but it appears that the bonjour project is no longer maintained. This change works around this issue by patching the multicast-dns dependency to pull in a fixed version. This could potentially break mdns functionality in our development environment, but we probably don't even use this functionality. Dependencies are bad. [1]: https://nvd.nist.gov/vuln/detail/CVE-2021-23386
|
Maybe |
|
v6 is fixed as of yesterday, if you reinstall deps. It's tracking dns-packet v1 to which I backported a fix. |
@daynewright Can confirm this issue has now been addressed in https://github.com/onlxltd/bonjour-service v1.0.8. |
|
Fixed https://www.npmjs.com/advisories/1745/versions, update deps locally |
Operating System: MacOS 11.2.3
Node Version: v14.16.1
NPM Version: 6.14.12
webpack Version: 5.4.0
webpack-dev-server Version: 3.11.2
Browser: Chrome 87.0.4280.141
Code
Dependency dns-packet has a security advisory: https://www.npmjs.com/advisories/1745
RELATED:
There is a issue in Bonjour npm dependency about dns-packet as well : watson/bonjour#63
For Bugs; How can we reproduce the behavior?
Run npm-audit
The text was updated successfully, but these errors were encountered: