The tracking issue for npm audit fix commits #3555

389-ds-bot · 2020-09-13T07:54:43Z

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/50499

Created at 2019-07-15 23:36:31 by spichugi (@droideck)
Assigned to nobody

Issue Description

New vulnerabilities can arise from time to time in npm audit reports and they should be addressed by running npm audit fix. Sometimes it can require manual intrusion.

The PRs can be linked to this issue.

The text was updated successfully, but these errors were encountered:

389-ds-bot · 2020-09-13T07:54:45Z

Comment from spichugi (@droideck) at 2019-07-16 00:47:14

#3556

389-ds-bot · 2020-09-13T07:54:45Z

Comment from spichugi (@droideck) at 2019-07-16 00:47:15

Metadata Update from @droideck:

Custom field origin adjusted to None
Custom field reviewstatus adjusted to None

389-ds-bot · 2020-09-13T07:54:46Z

Comment from mreynolds (@mreynolds389) at 2019-08-08 17:26:06

Metadata Update from @mreynolds389:

Issue set to the milestone: FUTURE

389-ds-bot · 2020-09-13T07:54:47Z

Comment from vashirov (@vashirov) at 2019-08-23 09:53:49


NPM audit report JSON:
{
  "actions": [
    {
      "action": "update",
      "resolves": [
        {
          "id": 1118,
          "path": "eslint>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-plugin-es>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "eslint-utils",
      "target": "1.4.2",
      "depth": 3
    }
  ],
  "advisories": {
    "1118": {
      "findings": [
        {
          "version": "1.3.1",
          "paths": [
            "eslint>eslint-utils",
            "eslint-plugin-node>eslint-plugin-es>eslint-utils",
            "eslint-plugin-node>eslint-utils"
          ]
        }
      ],
      "id": 1118,
      "created": "2019-08-20T15:17:53.538Z",
      "updated": "2019-08-22T18:54:18.136Z",
      "deleted": null,
      "title": "Arbitrary Code Execution",
      "found_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "reported_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "module_name": "eslint-utils",
      "cves": [],
      "vulnerable_versions": ">=1.2.0 <1.4.1",
      "patched_versions": ">=1.4.1",
      "overview": "Versions of `eslint-utils` >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The `getStaticValue` does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The `getStringIfConstant` and `getPropertyName` functions are not affected.",
      "recommendation": "Upgrade to version 1.4.1 or later.",
      "references": "- [ESLint release](https://eslint.org/blog/2019/08/eslint-v6.2.1-released)\n- [eslint-utils advisory](https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3)",
      "access": "public",
      "severity": "critical",
      "cwe": "CWE-94",
      "metadata": {
        "module_type": "",
        "exploitability": 3,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1118"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 0,
      "critical": 3
    },
    "dependencies": 2883,
    "devDependencies": 7047,
    "optionalDependencies": 280,
    "totalDependencies": 10113
  },
  "runId": "1dbb03fb-3b04-452f-8254-4440e9691b7b"
}
Failed security audit due to critical vulnerabilities.
Exiting...
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] audit-ci: `audit-ci --config audit-ci.json`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] audit-ci script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2019-08-23T07_50_04_578Z-debug.log

389-ds-bot · 2020-09-13T07:54:48Z

Comment from spichugi (@droideck) at 2019-08-23 10:17:33

#3616

389-ds-bot · 2020-09-13T07:54:49Z

Comment from mreynolds (@mreynolds389) at 2019-09-27 23:25:01

Commit 2e85b4a3 relates to this ticket

389-ds-bot · 2020-09-13T07:54:50Z

Comment from mreynolds (@mreynolds389) at 2019-09-27 23:26:45

Fixes npm "handlebar" audit alert

Commit 2e85b4a relates to this ticket

67d69bf..4f84db6 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

389-ds-bot · 2020-09-13T07:54:50Z

Comment from spichugi (@droideck) at 2019-11-04 22:18:19

Commit 5202ad8b relates to this ticket

389-ds-bot · 2020-09-13T07:54:51Z

Comment from spichugi (@droideck) at 2019-11-04 22:24:02

Fixes npm "handlebar" audit alert - again

1299143..5202ad8 master -> master
9c210f7..49c7044 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

389-ds-bot · 2020-09-13T07:54:52Z

Comment from mreynolds (@mreynolds389) at 2019-11-15 17:04:44

Commit b1d67c11 relates to this ticket

389-ds-bot · 2020-09-13T07:54:53Z

Comment from spichugi (@droideck) at 2019-11-20 12:21:19

Commit 9f475988 relates to this ticket

389-ds-bot · 2020-09-13T07:54:54Z

Comment from vashirov (@vashirov) at 2019-12-11 16:02:58

Commit 80e0ce24 relates to this ticket
a9fa0ad..d619905 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

389-ds-bot · 2020-09-13T07:54:55Z

Comment from spichugi (@droideck) at 2020-03-09 22:46:50

Commit a66fe152 relates to this ticket

389-ds-bot · 2020-09-13T07:54:56Z

Comment from spichugi (@droideck) at 2020-03-09 22:50:06

bf8b4af..a66fe15 master -> master
74046ab..1cda41b 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
610d2f5..88b5cd3 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

389-ds-bot · 2020-09-13T07:54:57Z

Comment from vashirov (@vashirov) at 2020-03-18 08:48:31

@droideck, nightly build failed due to https://www.npmjs.com/advisories/1179

    "vulnerabilities": {                                                                                                                          
      "info": 0,                                                                                                                                  
      "low": 0,                                                                                                                                   
      "moderate": 126,                                                                                                                            
      "high": 0,                                                                                                                                  
      "critical": 0                                                                                                                               
    },

Could you please take a look?

389-ds-bot · 2020-09-13T07:54:58Z

Comment from vashirov (@vashirov) at 2020-03-19 11:19:03

The build now works, since the vulnerability got lower severity, but it still needs to be fixed.

    "vulnerabilities": {
      "info": 0,
      "low": 126,
      "moderate": 0,
      "high": 0,
      "critical": 0
    },

389-ds-bot · 2020-09-13T07:54:59Z

Comment from mreynolds (@mreynolds389) at 2020-04-24 17:02:07

Fixed latest audit issues, updated existing npm packages, and removed unused packages...

#4102

389-ds-bot · 2020-09-13T07:54:59Z

Comment from mreynolds (@mreynolds389) at 2020-04-24 18:38:14

Commit 53e9d9f9 relates to this ticket

389-ds-bot · 2020-09-13T07:55:00Z

Comment from vashirov (@vashirov) at 2020-05-14 08:58:13

Nightly build failed due to npm audit ci:

    "vulnerabilities": {
      "info": 0,
      "low": 8,
      "moderate": 17,
      "high": 0,
      "critical": 0
    },

https://npmjs.com/advisories/1500
https://npmjs.com/advisories/1518

389-ds-bot · 2020-09-13T07:55:01Z

Comment from mreynolds (@mreynolds389) at 2020-05-15 16:06:39

Commit 9afa6694 relates to this ticket

389-ds-bot · 2020-09-13T07:55:02Z

Comment from mreynolds (@mreynolds389) at 2020-05-15 16:08:41

Commit 9afa669 relates to this ticket

d3ae07a..d411837 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

703d857..14c7a3c 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

41e0f4b..62cc505 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

389-ds-bot · 2020-09-13T07:55:03Z

Comment from vashirov (@vashirov) at 2020-05-27 12:27:16

Another one https://www.npmjs.com/advisories/1522 (high)

@mreynolds389

Description: Update dependencies which have vulnarabilities and remove unused deps: - eonasdan-bootstrap-datetimepicker; - react-ellipsis-with-tooltip; - recompose; Relates: #3555 Reviewed by: @mreynolds389 (Thanks!)

Description: Ran npm audit fix to address vulnerability in nanoid relates: 389ds/389-ds-base#3555 Reviewed by: mreynolds

@mreynolds389

Description: Run npm audit fix to address the vulnerability in word-wrap and semver. Relates: 389ds/389-ds-base#3555 Reviewed by: @mreynolds389 (Thanks!)

@progier389

Description: Run npm audit fix to address the vulnerability in babel/traverse. Relates: 389ds/389-ds-base#3555 Reviewed by: @progier389 (Thanks!)

@vashirov

Description: We use npx for audit-ci runs. Hence we don't need the package installed at all. Remove audit-ci from package.json and a new generate package-lock.json. Related: 389ds/389-ds-base#3555 Reviewed by: @vashirov (Thanks!)

Description: Run npm audit fix to address the vulnerability in micromatch. Relates: 389ds#3555 Reviewed by: ?

@progier389