-
-
Notifications
You must be signed in to change notification settings - Fork 8.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docusaurus depends on [email protected] with CVE-2020-7753 vulnerability #7275
Comments
Please see #6394 |
If your CI requires zero audit warning, your CI is broken. DO NOT rely on security audit for front end build pipelines. |
@slorber Could we get a second opinion on this advice?
However in a large code base, the way an NPM package is used is difficult to keep track of. Code evolves constantly. The analysis itself can be tricky. For example Docusaurus's hybrid client/server rendering makes it non-obvious whether a given NPM package will be executed by the browser runtime or Node.js tooling.
|
Apparently, the same issue has been responded to by multiple maintainers:
My response represents the response you will get from every single maintainer, and generally most maintainers in the front-end ecosystem. Docusaurus builds a static site; there's no way a user could be exploited by any security vulnerability whatsoever, unless they actively XSS themselves. |
The data flow of Docusaurus is always one-way: developer -> build pipeline -> deployment env -> user. The user never sends data back to the server. When we say "Docusaurus has a server-side", this server-side is not the same as Next.js: it's build-time only, and once deployed, it's only a bunch of static assets. The only viable attack vector that we are aware of is if you are outsourcing translations and injecting them via The lesson is that security audits are broken—it's not my word, it's the consensus from every OSS maintainer. Whenever you open a security issue somewhere, don't just say "there's a known CVE"—prove to us how this CVE can be actually exploited as an attack vector. Even better, please report this through the security portal for responsible disclosure. |
Take a look at our Docusaurus site: https://rushstack.io/community/events/ Users do login-with-GitHub and then interact with a Node.js service via web pages that are rendered by the Docusaurus engine. You're really making a lot of assumptions about how a particular Docusaurus site might work. |
That's your own code. Unless it's wired through some official Docusaurus API, we can't help with that. Since you are reporting it to upstream, and you have traced it down to exactly But anyways, I have spent enough time demonstrating to you why (a) it doesn't matter and (b) how to responsibly report security bugs in the front-end ecosystem. It's now your responsibility to abide to that. |
Upgrading your
Yes, but I'm not the person who is a concern. It is the not-knowledgeable engineer who later adds another project to the same monorepo. For example, let's say this new project is an Express service that happens to invoke See, security vulnerabilities by nature are tricky to analyze. This is why it's simpler just to work to get them eliminated from the dependency tree, rather than getting into armchair debates about each vulnerability that comes along.
As a maintainer of OSS myself, I would certainly give a lower priority to fixing an irrelevant-seeming vulnerability. But I would not dismiss it or argue that we shouldn't bother fixing the vulnerability at all, particularly for a high profile project like Docusaurus. |
That's the whole point of every issue I've been pointing to—right? We bump dependencies every week, there's no reason why we won't upgrade it if we can. However, upgrading to MDX v2 has been postponed to Docusaurus v3 because it would be a huge breaking change that will influence every single user, and it also uses ESM which we are not compatible with yet. We have #4029 and #6520 to track them. If this audit warning really bothers you, consider persuading the remark maintainers to release a patch version for the particular version of
I'm saying you should ignore it for Docusaurus because it's a front-end build tool, repeat "build tool". It doesn't offer any runtime features. Your comparison to Express is inadequate and there's a world of difference in between, which is why I said the "single direction of data flow" matters. Express is neither front-end nor "build pipeline". I don't see why my carefully-crafted statement that "DO NOT rely on security audit for front end build pipelines" can be stretched so much.
Totally agree. That's why I'm spending so much time demonstrating to you it doesn't matter, instead of instantly dismissing it as "it doesn't matter; now go".
Well, there are much higher-profile projects that take literally the same stance: facebook/create-react-app#11174 Again, we don't work on your team, we can't control your security policy. All we can ask you is, when you open a bug report, please please provide a reproduction. Maintainers have limited time (I have relatively much more time than @slorber but I'm volunteering), so it's important for you to demonstrate yourself how a particular bug is Docusaurus' issue, and for CVEs, how it causes tangible harm. It takes you and your team probably less than 5 minutes to run |
Not all of them IMHO. We are a build tool that runs in your CI to produce a static site output, based on inputs you commit yourself to Git. To be affected by such Denial-of-Service you'd have to want to hack yourself and commit malicious content on Git. And it would only DOS your CI (potentially blocking or slowing down the deployment), not really affecting real site visitors. I don't think it's good to disable/ignore all security warnings, but I guess in our context you can just ignore all those I believe those shouldn't have See also https://overreacted.io/npm-audit-broken-by-design/
We keep the browser runtime very small in core and theme-classic so there's only a limited number of dependencies being used there. If there's a DOS vulnerability in a browser package that could affect real users, we'll look into it as a priority. Now if you don't know if it's server or browser code, you can ask (like in this issue) and we'll tell you. We don't have the bandwidth to fix all those harmless vulnerabilities ourselves, but I understand if your company remains afraid of such vulnerabilities. It remains possible for you:
|
Summary: Three tasks (T121720170, T121720171, T121790680) related to unresolved vulnerabilities in the CQL GitHub project are filed after the addition of the yarn.lock file in D36390866 (3eb1a11). ~~Removing the yarn.lock file should close those tasks automatically.~~ Addressing this by forcefully updating the affected dependencies to a recent version even though our upstream dependencies are requiring older versions. GitHub uses yarn.lock (or package-lock.json) files to detect the use of npm libraries that have CVEs associated with them, and an [internal checkup tool](https://www.internalfb.com/intern/opensource/github/repo/2666233626998565/checkup/) detects its status. The two particular CVEs raised (on trim, nth-check) are from upstream libraries imported by Docusaurus. The Docusaurus team don't intend to fix the underlying issue ([Github Discussion](facebook/docusaurus#7275), they also reference [Dan Abramov's post arguing this whole vulnerabilty scan thing is broken](https://overreacted.io/npm-audit-broken-by-design/)) ~~Usually yarn.lock files should be checked in to ensure everyone (including prod) fetches the same dependencies, but given that this project is just a doc site and we have probably been working fine without it for ~3+ years, I think taking away yarn.lock is the best way to work around this issue.~~ Reviewed By: yangshun Differential Revision: D37075991 fbshipit-source-id: b39875f8bf1251df64abbb7bdc8cbb9139e682a6
Related-to: #2078 Remaining CVEs: ``` ❯ trivy fs --exit-code 1 --skip-dirs node_modules/,plugins/woodpecker-plugins/node_modules/ docs/ 2023-08-01T10:02:36.911+0200 INFO Vulnerability scanning is enabled 2023-08-01T10:02:36.911+0200 INFO Secret scanning is enabled 2023-08-01T10:02:36.911+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2023-08-01T10:02:36.911+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection 2023-08-01T10:02:36.963+0200 INFO Number of language-specific files: 1 2023-08-01T10:02:36.963+0200 INFO Detecting pnpm vulnerabilities... pnpm-lock.yaml (pnpm) Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0) ┌─────────┬────────────────┬──────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ got │ CVE-2022-33987 │ MEDIUM │ 9.6.0 │ 11.8.5, 12.1.0 │ missing verification of requested URLs allows redirects to │ │ │ │ │ │ │ UNIX sockets │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-33987 │ ├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ trim │ CVE-2020-7753 │ HIGH │ 0.0.1 │ 0.0.3 │ nodejs-trim: Regular Expression Denial of Service (ReDoS) in │ │ │ │ │ │ │ trim function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-7753 │ └─────────┴────────────────┴──────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘ ``` - `trim` is pulled in by `@docusaurus/theme-classic` and can be ignored due to facebook/docusaurus#7275 (comment) - `got` can be ignored as well, see `trim`
Have you read the Contributing Guidelines on issues?
Prerequisites
npm run clear
oryarn clear
command.rm -rf node_modules yarn.lock package-lock.json
and re-installing packages.Description
@docusaurus/[email protected]
depends on@mdx-js/[email protected]
which depends on[email protected]
which is breaking our CI builds with this security scanner failure:Reproducible demo
N/A
Steps to reproduce
Here's an easy way to repro the issue:
npm init
npm install @docusaurus/mdx-loader
npm audit
Expected behavior
Docusaurus should not depend on packages with
high severity
security vulnerabilities.Actual behavior
Security vulnerability
Your environment
2.0.0-beta.18
v14.17.0
Self-service
The text was updated successfully, but these errors were encountered: