Update version range for GHSA-f46r-rw29-r322 #5483
Conversation
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
Files not reviewed (1)
- advisories/github-reviewed/2025/04/GHSA-f46r-rw29-r322/GHSA-f46r-rw29-r322.json: Language not supported
github-actions
bot
changed the base branch from
main
to
brophdawg11/advisory-improvement-5483
|
👋 Hi @brophdawg11, I showed this PR and #5484 to colleagues of mine who work on npm audit. Another PR from last week (#5461) reported an issue with an advisory update not propagating to npm audit in a different npm package. In the meantime, users who approach you about alerts they're getting in npm audit can check for caching issues or vulnerable indirect dependencies to see if that changes anything about the alerts they're getting. Thanks for raising awareness of something you saw with respect to GHSA-f46r-rw29-r322 and GHSA-cpj6-fhp6-mr6j in npm audit and have a great weekend! |
|
Thanks for the follow up! I just tried again and this does look like it was a caching issue, all looks good now: > npm i react-router@latest
added 5 packages, and audited 6 packages in 849ms
found 0 vulnerabilities
> npm audit
found 0 vulnerabilities
> npm i react-router@7.5.1
changed 1 package, and audited 6 packages in 835ms
1 high severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
> npm audit
# npm audit report
react-router 7.0.0-pre.0 - 7.5.1
Severity: high
React Router allows pre-render data spoofing on React-Router framework mode - https://github.com/advisories/GHSA-cpj6-fhp6-mr6j
React Router allows a DoS via cache poisoning by forcing SPA mode - https://github.com/advisories/GHSA-f46r-rw29-r322
fix available via `npm audit fix`
node_modules/react-router
1 high severity vulnerability
To address all issues, run:
npm audit fix
> npm i react-router@6
added 1 package, removed 3 packages, changed 1 package, and audited 4 packages in 879ms
found 0 vulnerabilities
> npm audit
found 0 vulnerabilitiesI was able to reproduce this morning on a fresh Let me know if I should close these PRs or if it's still useful to update the |
|
@brophdawg11 Thanks for the follow-up! I'll answer the questions in a quote-and-response format:
My job is related to advisory content rather than advisory database engineering or npm engineering, so I can't give an answer more precise than "it depends," especially when you're talking about a popular package, where lots of alerts get issued to lots of users who are using lots of different systems. 😅
|
This is an update to the
last_known_affected_version_rangefield for GHSA-f46r-rw29-r322.We missed that the original advisory we received and subsequently published did not have a lower version bound, which is causing tools like
npm auditto report false positives for the vulnerability on unaffected versions (v6 and below).We have since updated the affected version via the Security UI in our repo, and it seems those updates have propagated to the introduced fields (here), but tools like npm audit are still reporting the vulnerability on versions below v7.
On a closer look we noticed the
last_known_affected_version_rangefield still seemed to have the old version without the lower bound, so this updates that field hoping it will resolve thenpm auditissues.