Stream: shorthand
Topic: SUSHI 2.2.5
Chris Moesel (Dec 22 2021 at 21:00):
Announcing SUSHI 2.2.5 with the following bug fixes and minor enhancements:
- Supports projects using FHIR version
5.0.0-snapshot1 - Fixes handling of elements w/ a slicename matching the element name
NOTE: As of right now, the IG Publisher does not yet support 5.0.0-snapshot1, but the next release (expected today) will support it.
For more information, see the SUSHI 2.2.5 Release Notes
John Moehrke (Dec 22 2021 at 21:07):
npm is saying there are 5 high severity vulnerabilites... ?
Chris Moesel (Dec 22 2021 at 21:17):
@John Moehrke -- I don't think so. There is 1 high severity vulnerability as shown in the report below:
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular expression denial of service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cpy-cli [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ cpy-cli > cpy > globby > fast-glob > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 1059 scanned packages
1 vulnerability requires manual review. See the full report for details.
You do not need to be concerned about this because the vulnerability is in a "dev" dependency. This means that the vulnerable module is only used when developing SUSHI itself. It is not used at all when normal users run SUSHI.
Furthermore, we've already assessed the specific vulnerability and determined that SUSHI is not impacted (even in development). We'd still love to make the warning go away, but cpy-cli has not yet released a patch that fixes it.
John Moehrke (Dec 22 2021 at 21:18):
okay, i was just reporting because I didn't see that before when I upgraded sushi before
Chris Moesel (Dec 22 2021 at 21:31):
Oh! I see. I just updated my npm version (that I use for npm audit). It looks like npm changed how they report vulnerabilities. I see 5 now too -- but nothing actually changed; just how they report them. I'll try to summarize.
We use a library called cpy-cli in development to copy some files from one location to another. The cpy-cli module depends on cpy, which depends on globby, which depends on fast-glob, which depends on glob-parent. The actual vulnerability is in glob-parent.
Using npm 6.x, it reports 1 vulnerability: glob-parent.
Using npm 8.x, it reports 5 vulnerabilities: glob-parent, fast-glob, globby, cpy, and cpy-cli -- but in reality, it's really just that one dependency chain that leads down to the problematic module.
My assessment doesn't change. It's still not a problem for SUSHI users (or developers). But... sorry for contradicting you (1 vs 5). It turns out we were both right!
John Moehrke (Dec 22 2021 at 21:34):
I noticed npm angry message that I was behind on npm.. so I too updated npm today
Last updated: Apr 12 2022 at 19:14 UTC
