Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update vulnerable npm dependencies (npm audit fix) #2052

Closed
nodiscc opened this issue Dec 3, 2023 · 2 comments · Fixed by #2101
Closed

update vulnerable npm dependencies (npm audit fix) #2052

nodiscc opened this issue Dec 3, 2023 · 2 comments · Fixed by #2101
Assignees
Labels
dependencies Pull requests that update a dependency file enhancement help-wanted help-wanted security
Milestone

Comments

@nodiscc
Copy link
Member

nodiscc commented Dec 3, 2023

trivy security scanner reports vulnerable dependencies in Shaarli's yarn.lock

https://github.com/shaarli/Shaarli/actions/runs/7077779999/job/19262500733

yarn.lock (yarn)
================
Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 6, CRITICAL: 1)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────────────┬─────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │       Fixed Version        │                            Title                            │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ ansi-regex   │ CVE-2021-3807  │ HIGH     │ fixed  │ 5.0.0             │ 6.0.1, 5.0.1, 4.1.1, 3.0.1 │ Regular expression denial of service (ReDoS) matching ANSI  │
│              │                │          │        │                   │                            │ escape codes                                                │
│              │                │          │        │                   │                            │ https://avd.aquasec.com/nvd/cve-2021-3807                   │
├──────────────┼────────────────┤          │        ├───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ glob-parent  │ CVE-2020-28469 │          │        │ 3.1.0             │ 5.1.2                      │ Regular expression denial of service                        │
│              │                │          │        │                   │                            │ https://avd.aquasec.com/nvd/cve-2020-28469                  │
├──────────────┼────────────────┤          │        ├───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ json5        │ CVE-2022-46175 │          │        │ 2.2.0             │ 2.2.2, 1.0.2               │ json5: Prototype Pollution in JSON5 via Parse Method        │
│              │                │          │        │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-46175                  │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ loader-utils │ CVE-2022-37601 │ CRITICAL │        │ 2.0.0             │ 2.0.3, 1.4.1               │ loader-utils: prototype pollution in function parseQuery in │
│              │                │          │        │                   │                            │ parseQuery.js                                               │
│              │                │          │        │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-37601                  │
│              ├────────────────┼──────────┤        │                   ├────────────────────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-37599 │ HIGH     │        │                   │ 1.4.2, 2.0.4, 3.2.1        │ loader-utils: regular expression denial of service in       │
│              │                │          │        │                   │                            │ interpolateName.js                                          │
│              │                │          │        │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-37599                  │
│              ├────────────────┤          │        │                   │                            ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-37603 │          │        │                   │                            │ Regular expression denial of service                        │
│              │                │          │        │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-37603                  │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ postcss      │ CVE-2023-44270 │ MEDIUM   │        │ 7.0.36            │ 8.4.31                     │ An issue was discovered in PostCSS before 8.4.31. The       │
│              │                │          │        │                   │                            │ vulnerability af ......                                     │
│              │                │          │        │                   │                            │ https://avd.aquasec.com/nvd/cve-2023-44270                  │
├──────────────┼────────────────┤          │        ├───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ semver       │ CVE-2022-25883 │          │        │ 7.0.0             │ 7.5.2, 6.3.1, 5.7.2        │ nodejs-semver: Regular expression denial of service         │
│              │                │          │        │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-25883                  │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ terser       │ CVE-2022-25858 │ HIGH     │        │ 5.7.0             │ 4.8.1, 5.14.2              │ terser: insecure use of regular expressions leads to ReDoS  │
│              │                │          │        │                   │                            │ https://avd.aquasec.com/nvd/cve-2022-25858                  │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────────────┴─────────────────────────────────────────────────────────────┘

These vulnerable dependencies are also present in the last release (v0.13.0) which is reflected by the failed status of daily trivy scans (https://github.com/shaarli/Shaarli/actions/workflows/trivy-release.yml)

These are basically the same vulnerabilities as those reported by github dependabot on https://github.com/shaarli/Shaarli/security/dependabot.

npm audit fix (and a few manual tests to ensure the upgrade doesn't break anything) should fix most of these warnings. In case a dependency can't be easily updated, we should check if the reported vulnerability is effectively applicable, and if not, whitelist it.

In addition we could disable Github's security advisories as these are now redundant (and a FOSS solution like trivy is preferable in my opinion - it is also easy to run it locally using make test_trivy_repo)

@nodiscc nodiscc added this to the 0.14.0 milestone Dec 3, 2023
@nodiscc nodiscc added enhancement security dependencies Pull requests that update a dependency file labels Dec 3, 2023
nodiscc added a commit to nodiscc/Shaarli that referenced this issue Dec 5, 2023
@nodiscc
Copy link
Member Author

nodiscc commented Dec 20, 2023

npm audit fix done in #2056

There are 2 issues remaining:

yarn.lock (yarn)
================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                         │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ glob-parent │ CVE-2020-28469 │ HIGH     │ fixed  │ 3.1.0             │ 5.1.2         │ Regular expression denial of service                  │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-28469            │
├─────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ postcss     │ CVE-2023-44270 │ MEDIUM   │        │ 7.0.39            │ 8.4.31        │ An issue was discovered in PostCSS before 8.4.31. The │
│             │                │          │        │                   │               │ vulnerability af ......                               │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44270            │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘

However these can only be fixed with npm audit fix --force:

$ npm audit fix 
npm WARN deprecated [email protected]: This module is no longer supported.
npm WARN deprecated @stylelint/[email protected]: Use the original unforked package instead: postcss-markdown
npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated @stylelint/[email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

added 253 packages, removed 39 packages, changed 62 packages, and audited 928 packages in 6s

120 packages are looking for funding
  run `npm fund` for details

# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.47.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
  autoprefixer  1.0.20131222 - 9.8.8
  Depends on vulnerable versions of postcss
  node_modules/autoprefixer
    stylelint  0.1.0 - 13.13.1
    Depends on vulnerable versions of autoprefixer
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-less
    Depends on vulnerable versions of postcss-safe-parser
    Depends on vulnerable versions of postcss-sass
    Depends on vulnerable versions of postcss-scss
    Depends on vulnerable versions of sugarss
    node_modules/stylelint
      stylelint-scss  0.0.0-alpha.1 || 1.0.0 - 3.21.0
      Depends on vulnerable versions of stylelint
      node_modules/stylelint-scss
  css-loader  0.15.0 - 4.3.0
  Depends on vulnerable versions of icss-utils
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-modules-extract-imports
  Depends on vulnerable versions of postcss-modules-local-by-default
  Depends on vulnerable versions of postcss-modules-scope
  Depends on vulnerable versions of postcss-modules-values
  node_modules/css-loader
  icss-utils  <=4.1.1
  Depends on vulnerable versions of postcss
  node_modules/icss-utils
    postcss-modules-local-by-default  <=4.0.0-rc.4
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-local-by-default
    postcss-modules-values  <=4.0.0-rc.5
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-values
  postcss-less  <=3.1.4
  Depends on vulnerable versions of postcss
  node_modules/postcss-less
  postcss-modules-extract-imports  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-scope  <=2.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope
  postcss-safe-parser  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-safe-parser
  postcss-sass  <=0.4.4
  Depends on vulnerable versions of postcss
  node_modules/postcss-sass
  postcss-scss  <=2.1.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-scss
  sugarss  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/sugarss

20 vulnerabilities (15 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

But I run into dependency issues when trying to perform npm audit fix --force:

$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating css-loader to 6.8.1, which is a SemVer major change.
npm WARN audit Updating stylelint to 16.0.2, which is a SemVer major change.
npm WARN audit Updating stylelint-scss to 6.0.0, which is a SemVer major change.
npm WARN audit Updating webpack to 5.89.0, which is a SemVer major change.
npm WARN ERESOLVE overriding peer dependency
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: shaarli@undefined
npm WARN Found: [email protected]
npm WARN node_modules/webpack
npm WARN   peer webpack@"^5.0.0" from [email protected]
npm WARN   node_modules/css-loader
npm WARN     dev css-loader@"6.8.1" from the root project
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer webpack@"^2.0.0 || ^3.0.0 || ^4.0.0" from [email protected]
npm WARN node_modules/file-loader
npm WARN   dev file-loader@"^1.1.6" from the root project
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: shaarli@undefined
npm WARN Found: [email protected]
npm WARN node_modules/webpack
npm WARN   peer webpack@"^5.0.0" from [email protected]
npm WARN   node_modules/css-loader
npm WARN     dev css-loader@"6.8.1" from the root project
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer webpack@"4.x.x" from [email protected]
npm WARN node_modules/webpack-cli
npm WARN   dev webpack-cli@"^3.3.12" from the root project

added 37 packages, removed 244 packages, changed 35 packages, and audited 721 packages in 5s

89 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

@nodiscc
Copy link
Member Author

nodiscc commented Oct 19, 2024

Mostly fixed in #2087
but still a few vulnerable packages remain: https://github.com/shaarli/Shaarli/actions/runs/11417985529/job/31770886462

yarn.lock (yarn)
================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ micromatch │ CVE-2024-4067  │ MEDIUM   │ fixed  │ 4.0.6             │ 4.0.8         │ micromatch: vulnerable to Regular Expression Denial of │
│            │                │          │        │                   │               │ Service                                                │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4067              │
├────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ webpack    │ CVE-2024-43788 │          │        │ 5.91.0            │ 5.94.0        │ webpack: DOM Clobbering vulnerability in               │
│            │                │          │        │                   │               │ AutoPublicPathRuntimeModule                            │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-43788             │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

reopening

@nodiscc nodiscc reopened this Oct 19, 2024
@nodiscc nodiscc self-assigned this Oct 19, 2024
nodiscc added a commit to nodiscc/Shaarli that referenced this issue Oct 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file enhancement help-wanted help-wanted security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant