Skip to content

Security: replace abandoned pkg coveralls with coveralls-next #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 26, 2025
Merged

Security: replace abandoned pkg coveralls with coveralls-next #305

merged 1 commit into from
Feb 26, 2025

Conversation

dinamic
Copy link
Contributor

@dinamic dinamic commented Feb 14, 2025

The request package through 2.88.2 for Node.js allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

The request package is no longer supported by the maintainer. Unfortunately, it's a dependency of the coveralls package, which also seems abandoned. This PR helps by replacing the coveralls package with coveralls-next.

@dinamic dinamic mentioned this pull request Feb 14, 2025
Open
@alexander-akait
Copy link
Collaborator

Looks like we need to generate lock files using 14/16 Node.js, can you do it using nvm?

@dinamic dinamic force-pushed the security/use-coveralls-next-pkg branch from 006d3ef to c17bade Compare February 17, 2025 17:14
@dinamic dinamic force-pushed the security/use-coveralls-next-pkg branch from c17bade to f73c495 Compare February 17, 2025 17:18
@dinamic
Copy link
Contributor Author

dinamic commented Feb 17, 2025

@alexander-akait it might have been because of the lockfileVersion.

nvm didn't work for me as going back to node 14 requires me to have an older version of python:

# nvm install 14
Downloading and installing node v14.21.3...
Downloading https://nodejs.org/dist/v14.21.3/node-v14.21.3-darwin-arm64.tar.xz...
curl: (56) The requested URL returned error: 404

download from https://nodejs.org/dist/v14.21.3/node-v14.21.3-darwin-arm64.tar.xz failed
grep: /Users/nick/.nvm/.cache/bin/node-v14.21.3-darwin-arm64/node-v14.21.3-darwin-arm64.tar.xz: No such file or directory
Provided file to checksum does not exist.
Binary download failed, trying source.
Detected that you have 10 CPU core(s)
Running with 9 threads to speed up the build
Clang v3.5+ detected! CC or CXX not specified, will use Clang as C/C++ compiler!
Local cache found: ${NVM_DIR}/.cache/src/node-v14.21.3/node-v14.21.3.tar.xz
Checksums match! Using existing downloaded archive ${NVM_DIR}/.cache/src/node-v14.21.3/node-v14.21.3.tar.xz
$>./configure --prefix=/Users/nick/.nvm/versions/node/v14.21.3 <
Node.js configure: Found Python 3.13.2...
Please use python3.10 or python3.9 or python3.8 or python3.7 or python3.6 or python3.5 or python2.7.
nvm: install v14.21.3 failed!

Fortunately, there is the node:14-slim docker image and it worked perfect.

Could you check if the pipelines is going to pass now?

P.S There are also other security risks as flagged by npm, but I'm not sure whether to use this PR to resolve all. What are your thoughts on this?

found 32 vulnerabilities (3 moderate, 25 high, 4 critical)

@alexander-akait alexander-akait merged commit 337129d into postcss:master Feb 26, 2025
5 checks passed
@alexander-akait
Copy link
Collaborator

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexander-akait alexander-akait alexander-akait approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dinamic @alexander-akait