cve-2023-45853: zlib version in node dependency showing up in scans

[reidsm]

Hello,

node version 18.20.5, running on linux

In our recent scans we have detected the following CVE:
https://nvd.nist.gov/vuln/detail/cve-2023-45853

The description was updated on Dec 20 to include zlib versions <= 13.1 which appears to be why our scans are suddenly flagging the issue. The version in node 18.20.5 (going up to at least node v22) appears to be 1.3.0.1. Is there a plan to patch this version in the near future?

Thank you.

[mcollina]

Thanks for reporting.

I think this would be patched in January.

cc @RafaelGSS can you add this update to the upcoming release?

[RafaelGSS]

We fetch the zlib from chromium (git clone https://chromium.googlesource.com/chromium/src/third_party/zlib), which is likely up-to-date. The difference is that we are now including the commit-sha.

[RafaelGSS]

We can update zlib to match the latest on v23.x on v18, but I'm not confident this will "suppress" the security scanner warning. Also, I couldn't identify if the CVE-2023-45853 would affect Node.js. cc: @nodejs/zlib

[bnoordhuis]

We don't use minizip so the answer should be 'no'.