Skip to content

🔒 Security: Vulnerability Detected in Dependency (NPM inflight) #4988

New issue
New issue
Closed as not planned
Closed as not planned
🔒 Security: Vulnerability Detected in Dependency (NPM inflight)#4988
Labels
area: securityinvolving vulnerabilitiesinvalidnot something we need to work on, such as a non-reproducing issue or an external root cause
@kat2codes

Description

@kat2codes
kat2codes
opened on May 31, 2023

Prerequisites

  • Checked that your issue hasn't already been filed by cross-referencing issues with the faq label
  • Checked next-gen ES issues and syntax problems by using the same environment and/or transpiler configuration without Mocha to ensure it isn't just a feature that actually isn't supported in the environment in question or a bug in your code.
  • 'Smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, your usage of Mocha, or Mocha itself
  • Ensured that there is no discrepancy between the locally and globally installed versions of Mocha. You can find them with: node_modules/.bin/mocha --version(Local) and mocha --version(Global). We recommend that you not install Mocha globally.

Description

I would like to report a high vulnerability that has been detected in one of the dependencies of Mocha. The vulnerability is present in the inflight package, specifically version 1.0.6. The vulnerability is classified as CWE-722: Missing Release of Resource after Effective Lifetime.

Package: inflight
Version: 1.0.6 (latest)
CWE: CWE-722 (Missing Release of Resource after Effective Lifetime)
Description: In NPM inflight there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the issue was not addressed and no fix is found. NOTE: In the meantime, logdna-agent, a package that depends on inflight, has merged a commit to address this solely in their package (so it should be fixed in logdna-agent in versions 1.6.5 and later). Node-glob, a package that also depends on inflight, was also planning to address this by not using inflight after version 8 is released, but it is still being used.

Please note that I did not directly install or utilize inflight package. Instead, it is a dependency of the Mocha package I am currently using, specifically version 10.2.0.

I kindly request the necessary actions to be taken to address and remediate this vulnerability to ensure the security and stability of the mocha framework. If any further info is required, please let me know.

Thanks!

Additional Information

image

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: securityinvolving vulnerabilitiesinvalidnot something we need to work on, such as a non-reproducing issue or an external root cause

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions