Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minor security vulnerability via babel-traverse 6.26.0 #12010

Closed
SiAdcock opened this issue Jul 22, 2024 · 2 comments · Fixed by #12259
Closed

Minor security vulnerability via babel-traverse 6.26.0 #12010

SiAdcock opened this issue Jul 22, 2024 · 2 comments · Fixed by #12259
Labels
good first issue help wanted

Comments

@SiAdcock
Copy link

SiAdcock commented Jul 22, 2024
edited
Loading

Type of issue

Security vulnerability

Description

We maintain a fork of Prebid.js that is being flagged by Dependabot as containing a critical security vulnerability, introduced by babel-traverse (ID: CVE-2023-45133)

In Prebid.js, it looks to be coming from babel-register via:

[email protected] -> @babel/[email protected] -> [email protected]

Relevant line in package.json

babel-register is used to add Babel support to the end-to-end testing task.

It is reasonable to assume that the end-to-end testing tasks (gulp e2e-test) are currently insecure. Do you agree, and if so, would it be possible to upgrade [email protected] to @babel/[email protected] or higher?

Platform details

This affects at least versions v8.52.0 and v9 (latest) of Prebid.js
@patmmccann
Copy link
Collaborator

patmmccann commented Jul 22, 2024
edited
Loading

The alert says in bold: "Users that only compile trusted code are not impacted."

You're welcome to PR the repo with the upgrade. I'm not aware of much activity in https://github.com/prebid/Prebid.js/tree/cda06f40bb1958f77888c0ae0bb486c5c55ac8d7/test/spec/e2e

@patmmccann patmmccann moved this from Triage to Ready for Dev in Prebid.js Tactical Issues table Jul 22, 2024
@patmmccann patmmccann changed the title Critical security vulnerability via babel-traverse 6.26.0 Minor security vulnerability via babel-traverse 6.26.0 Jul 22, 2024
@renebaudisch renebaudisch mentioned this issue Sep 19, 2024
Closed
@patmmccann patmmccann linked a pull request Sep 22, 2024 that will close this issue
Dependency updates to reduce vulnerability #12259
Merged
1 task
@patmmccann
Copy link
Collaborator

Fixed in #12259

@github-project-automation github-project-automation bot moved this from Ready for Dev to Done in Prebid.js Tactical Issues table Sep 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue help wanted
Projects
Prebid.js Tactical Issues table
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Dependency updates to reduce vulnerability renebaudisch/Prebid.js
2 participants
@patmmccann @SiAdcock