release patch for parse 2.19.x with updated dependency ws

[evansrobert]

Hi, @dplewis @mtrezza,

Issue Description

When I build my project, I notice that a vulnerability CVE-2021-32640 detected in package ws(<5.2.3,>=6.0.0 <6.2.2,>=7.0.0 <7.4.6) is directly referenced by [email protected].
However, [email protected] is so popular that a large number of latest versions of active and popular downstream projects depend on it (14,763 downloads per week and about 22 downstream projects, e.g., @clowdr-app/clowdr-db-schema 1.11.2, wiz-frameworks 1.1.50, @atomic-reactor/cli 2.2.56, vue-notification-system 1.0.9, @slidebean/html-player 4.0.1, etc.).
In this case, the vulnerability CVE-2021-32640 can be propagated into these downstream projects and expose security threats to them.
As you can see, [email protected] is introduced into the above projects via the following package dependency paths:
(1)[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
......

I know that it's kind of you to have removed the vulnerability since [email protected]. But, in fact, the above large amount of downstream projects cannot easily upgrade parse from version 2.19.0 to (>=3.3.0):
The projects such as parse-server, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade parse nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package [email protected]?

Suggested Solution

Since these inactive projects set a version constaint 2.19.* for parse on the above vulnerable dependency paths, if parse removes the vulnerability from 2.19.0 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the downstream projects.

In [email protected], maybe you can try to perform the following upgrade(not crossing major version):
ws 7.4.0 ➔ 7.4.6;
Note:
[email protected](>=7.4.6) has fixed the vulnerability CVE-2021-32640.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.^_^

[mtrezza]

Thanks for reporting!

I have transferred this issue to the Parse Server repo since what you seem to indicate is that the latest version does not depend on the Parse JS SDK 3.3.0.

The projects such as parse-server, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade parse nor be easily migrated by the large amount of affected downstream projects.

I guess your impression that Parse Server is not maintained anymore comes from the long time since the last release. There has been a lot of activity in parse-server in the last months, maybe more than ever before. We will release a beta version of Parse Server 5.0 in a few weeks before officially releasing version 5.0, because 5.0 contains a lot of fundamental changes. You can find more info here.

We will also release a 4.x patch version of Parse Server, probably in a few days, in which we will upgrade the Parse JS SDK dependency to the latest version, if compatible. If not, we will evaluate whether to release a patch version, depending on complexity and given that 5.0 is just around the corner.

Generally, we appreciate that the long time since the last Parse Server release is far from ideal. That is why we are working to automate releases from Parse Server 5.0 onwards which will bring a dramatic improvement in release frequency and a more timely release of vulnerability fixes.

If you require to urgently address this issue, you could:

• fork Parse JS SDK, run npm audit fix and fork Parse Server to point to your forked JS SDK.
• fork Parse Server, run npm audit fix or manually upgrade to Parse JS SDK 3.3.0.

[evansrobert]

@mtrezza Thank you for your feedback.

I guess your impression that Parse Server is not maintained anymore comes from the long time since the last release.

You are totally right.Since the latest version(4.5.0) of Parse Server was released 8 months ago, I mistakenly assumed it was no longer maintained. Of course, if you can kindly release a new pached version for Parse Server which uses the latest version of parse(3.3.0), such a vulnerability patch can also be automatically propagated into the downstream projects. And please let me know that. Thanks again.^_^

[mtrezza]

I have added a pinned issue about the Parse Server 5.0 release, to maybe make this more clear, thanks for pointing out. I am closing this issue for now, as this is a general release request.

[mtrezza]

@evansrobert We made several patch releases over the last few days. We just released Parse Server 4.10.1 which updates to Parse JS SDK 3.3.0. That should address the issue you mentioned here. As a reminder, take a look at the release notes before you upgrade, as it contains a security fix that may impact upgradability. Thanks for opening this issue!