unfixable vulnerabilites by npm

[NewRedsquare]

Hello,

while trying to install etherpad-lite, after doing npm audit fix , it gives me "unfixable" vulnerabilities :

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-node-express                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ swagger-node-express > lodash                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/577                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-node-express                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ swagger-node-express > lodash                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/782                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ swagger-node-express                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ swagger-node-express > lodash                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 2 high) in 13393 scanned packages
  3 vulnerabilities require manual review. See the full report for details.
etherpad-lite@iDebianEU:~/node_modules/ep_etherpad-lite$ npm audit fix
up to date in 7.551s

8 packages are looking for funding
  run `npm fund` for details

fixed 0 of 3 vulnerabilities in 13393 scanned packages
  3 vulnerabilities required manual review and could not be updated

I just saw that there was similar issues, but i can't find any proper solution. I just understood that you tried "to bypass" those vulnerabilites or am I wrong ?

[muxator]

Hi @NewRedsquare, this is due to Etherpad's dependency on swagger-node-express, which has not been updated in a long time. See for example:

swagger-api/swagger-node#592
swagger-api/swagger-node#588

The wisest move would probably be to move to another library altogether.

[NewRedsquare]

So this is in standby now ?

[muxator]

I just saw that there was similar issues, but i can't find any proper solution. I just understood that you tried "to bypass" those vulnerabilites or am I wrong?

The vulnerabilities that were fixed on Etherpad from 1.6.4 to 1.8.0 were all fixed in a proper way. The ones that are still there are the ones that require more effort and, thus, time. SOme of them are really nasty to tackle.

Obviously not all the vulnerabilities shown by npm audit are necessarily exploitable, but this does not stop us from keeping up.

[muxator]

So this is in standby now?

@NewRedsquare, it's on the radar, but I can give no timing guarantees. Until we do not get rid of a lot of legacy libraries, these sort of updates will always be problematic.

This issue is going to be tracked on #3723. If you have a proposal for an alternative library, please write down a line there.

Closing this.
Thanks.