Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 npm warns about 7 vulnerabilities in biome@latest dependencies #400

Closed
1 task done
lgarron opened this issue Sep 23, 2023 · 5 comments
Closed
1 task done

🐛 npm warns about 7 vulnerabilities in biome@latest dependencies #400

lgarron opened this issue Sep 23, 2023 · 5 comments
Labels
A-Website Area: website good first issue Good for newcomers S-Bug-confirmed Status: report has been confirmed as a valid bug S-Help-wanted Status: you're familiar with the code base and want to help the project

Comments

@lgarron
Copy link

lgarron commented Sep 23, 2023

Environment information

`npx biome rage` does not put output anything, for some reason. The installed version is v0.3.3

What happened?

mkdir /tmp/biome-test && cd /tmp/biome-test
npm init -y
npm install biome@latest
npm audit

Output of npm audit (also printed at install time):

> npm audit
# npm audit report

lodash  <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/inquirer/node_modules/lodash
  inquirer  <=0.11.4
  Depends on vulnerable versions of lodash
  node_modules/inquirer
    inquirer-promise  <=0.0.3
    Depends on vulnerable versions of inquirer
    node_modules/inquirer-promise

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request
  request-promise  >=0.0.2
  Depends on vulnerable versions of request
  node_modules/request-promise
    biome  >=0.3.0
    Depends on vulnerable versions of inquirer-promise
    Depends on vulnerable versions of request-promise
    node_modules/biome

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tough-cookie

7 vulnerabilities (3 moderate, 3 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

I've reproduced this on two different computers.

Expected result

No vulns

Code of Conduct

  • I agree to follow Biome's Code of Conduct
@Conaclos Conaclos added this to the Biome 1.3 milestone Sep 23, 2023
@lgarron
Copy link
Author

lgarron commented Sep 23, 2023

Wait, sorry, I typed biome instead of @biomejs/biome by hand because I needed to fix something manually.

@lgarron lgarron closed this as completed Sep 23, 2023
@ematipico
Copy link
Member

ematipico commented Sep 23, 2023
edited
Loading

The package you're calling is not this one. I don't know how npx resolves the binary names, but you executed https://www.npmjs.com/package/biome

Our package is https://www.npmjs.com/package/@biomejs/biome

@ematipico ematipico closed this as not planned Won't fix, can't repro, duplicate, stale Sep 23, 2023
@lgarron
Copy link
Author

lgarron commented Sep 23, 2023

Wait, sorry, I typed biome instead of @biomejs/biome by hand because I needed to fix something manually.

For what it's worth, I try to use npx @biomejs/biome explicitly when possible, to avoid this trap. The fact that the Biome project uses npx biome in its documentation is a bit of a security liability, because it can be superseded by the biome package.

@ematipico
Copy link
Member

Wait, sorry, I typed biome instead of @biomejs/biome by hand because I needed to fix something manually.

For what it's worth, I try to use npx @biomejs/biome explicitly when possible, to avoid this trap. The fact that the Biome project uses npx biome in its documentation is a bit of a security liability, because it can be superseded by the biome package.

That's definitely a mistake, we should fix it! Thank you for pointing it out.

I'm going to keep the issue open to track it

@ematipico ematipico reopened this Sep 23, 2023
@ematipico ematipico added A-Website Area: website S-Bug-confirmed Status: report has been confirmed as a valid bug good first issue Good for newcomers S-Help-wanted Status: you're familiar with the code base and want to help the project labels Sep 24, 2023
@nikeee nikeee mentioned this issue Sep 28, 2023
Merged
@nissy-dev
Copy link
Contributor

Closed by #447

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Website Area: website good first issue Good for newcomers S-Bug-confirmed Status: report has been confirmed as a valid bug S-Help-wanted Status: you're familiar with the code base and want to help the project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lgarron @ematipico @Conaclos @nissy-dev