Released eslint-plugin-mozilla uses multi-ini 2.1.0 that has a security vulnerability
Categories
(Developer Infrastructure :: Lint and Formatting, task, P2)
Tracking
(firefox-esr78 unaffected, firefox87 wontfix, firefox88 wontfix, firefox89 fixed)
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox87 | --- | wontfix |
firefox88 | --- | wontfix |
firefox89 | --- | fixed |
People
(Reporter: standard8, Assigned: standard8)
Details
(Keywords: sec-other, Whiteboard: [post-critsmash-triage][adv-main89-])
Attachments
(1 file)
I've just seen github reports that the current published version of eslint-plugin-mozilla uses multi-ini 2.1.0 which has a security vulnerabilities published against it:
The in-tree eslint-plugin-mozilla that mozilla-central uses was recently updated to ^2.1.2
in bug 1702166.
I think this probably isn't a critical issue for the source - the ini files that eslint-plugin-mozilla uses are all test files which get reviewed, and adding prototypes to those should get spotted, worst case the try / linter infrastructure could be affected.
For external repositories using eslint-plugin-mozilla, I suspect most of them are not using mochitest/xpcshell type tests, so this wouldn't come into play.
However, I'd still like to get a new version released, so that users of eslint-plugin-mozilla can update to clear the security advisories on their repos.
Assignee | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Bump eslint-plugin-mozilla version numbers. r=mossop
https://hg.mozilla.org/integration/autoland/rev/3408c864e7e79000702f33ea5c46d49546f6ea3d
https://hg.mozilla.org/mozilla-central/rev/3408c864e7e7
Assignee | ||
Comment 3•4 years ago
|
||
I've just published eslint-plugin-mozilla 2.10.0 which fully resolves this.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•