Closed Bug 1704857 Opened 4 years ago Closed 4 years ago

Released eslint-plugin-mozilla uses multi-ini 2.1.0 that has a security vulnerability

Categories

(Developer Infrastructure :: Lint and Formatting, task, P2)

Tracking

(firefox-esr78 unaffected, firefox87 wontfix, firefox88 wontfix, firefox89 fixed)

RESOLVED FIXED
89 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- wontfix
firefox88 --- wontfix
firefox89 --- fixed

People

(Reporter: standard8, Assigned: standard8)

Details

(Keywords: sec-other, Whiteboard: [post-critsmash-triage][adv-main89-])

Attachments

(1 file)

I've just seen github reports that the current published version of eslint-plugin-mozilla uses multi-ini 2.1.0 which has a security vulnerabilities published against it:

The in-tree eslint-plugin-mozilla that mozilla-central uses was recently updated to ^2.1.2 in bug 1702166.

I think this probably isn't a critical issue for the source - the ini files that eslint-plugin-mozilla uses are all test files which get reviewed, and adding prototypes to those should get spotted, worst case the try / linter infrastructure could be affected.

For external repositories using eslint-plugin-mozilla, I suspect most of them are not using mochitest/xpcshell type tests, so this wouldn't come into play.

However, I'd still like to get a new version released, so that users of eslint-plugin-mozilla can update to clear the security advisories on their repos.

Keywords: sec-other
Group: firefox-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

I've just published eslint-plugin-mozilla 2.10.0 which fully resolves this.

Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main89-]
Group: core-security-release
Product: Firefox Build System → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: