"braces" v3.0.2 / "micromatch" v4.0.5 vulnerabilities

[sbradnick]

Getting a report of: "A vulnerable version (3.0.2) of the braces package is embedded in" and I do see this:

$ grep -ir braces .
...
./xpra-html5/package-lock.json:    "node_modules/braces": {
./xpra-html5/package-lock.json:      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
./xpra-html5/package-lock.json:        "braces": "^3.0.2",
./xpra-html5/package-lock.json:    "braces": {
./xpra-html5/package-lock.json:      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
./xpra-html5/package-lock.json:        "braces": "^3.0.2",

Some references here: micromatch/braces#35 but there hasn't been a commit to that repo in 5 years.

EDIT: I do see this too: micromatch/braces#37 - hopefully that moves forward.

[totaam]

I'm not really bothered about build time stuff.
Also happy to remove the lot.

[totaam]

TBH, this came from a drive-by contribution which is causing me pain to this day.
Can we just get rid of all this nonsense? How?

[sbradnick]

TBH, this came from a drive-by contribution which is causing me pain to this day. Can we just get rid of all this nonsense? How?

The whole of npm & package-lock.json was someone else's additon? I'm not much of a node user (unless it makes an appearance in something else I'm trying to use and I can just let it 'do it's thing'), so I don't know if those offending additions can simply be removed w/o causing some type of node dependency problem. "micromatch" requires "braces" / "micromatch" is required by "fast-glob"/"lint-staged", that type of thing ...

Another CVE was added too: micromatch/micromatch#243 (the comments in that one, wow ...)

$ grep -ir micromatch .
./package-lock.json:        "micromatch": "^4.0.4"
./package-lock.json:        "micromatch": "^4.0.4",
./package-lock.json:    "node_modules/micromatch": {
./package-lock.json:      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",
./package-lock.json:        "micromatch": "^4.0.4"
./package-lock.json:        "micromatch": "^4.0.4",
./package-lock.json:    "micromatch": {
./package-lock.json:      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",

[totaam]

It started relatively small: 41d3c2d
And now we have a 6617 lines monster.
When I say remove, I'm thinking of just removing everything node related.
It doesn't help me get things done in any shape or form, and just like this ticket, it causes pain.

[sbradnick]

When I say remove, I'm thinking of just removing everything node related.

Makes sense to me, I couldn't even begin to tell you what any of those packages are adding and if xpra-html5 functions just fine w/o them (and their extra complexity), it seems like a good thing to remove. And if there's any type of "braces" and "micromatch" CVE resolution, maybe they could be added back (I'm certainly not advocating that, I didn't even know they were a part of xpra-html5 until I got a bug report assigned to me 😜) if there is some type of value-add [to someone].

[totaam]

I couldn't even begin to tell you what any of those packages are adding and if xpra-html5 functions just fine w/o them

These are just commit or push hooks.
They add nothing to xpra, they are not bundled with an installation, not even in the source releases.

So, the risk of harm from these two CVEs is pretty much zero. I can control-C if somehow my build takes too long.

[totaam]

Also helps with #277 by not having to track down all of this crap

[sbradnick]

Thanks to your explanation of how "braces" and "micromatch" are (not really) integrated to xpra-html5, the bugs (on my end) have been closed, so I'll close this. I really appreciate you conversing with me about it.

[paulmillr]

There is NO vulnerability: micromatch/braces#37 (comment)

[totaam]

Nonetheless, there may well be other vulnerabilities in this monstrous node lock file, and none of them matter because they're not even being used. So I still want to get rid of this mess.