The tracking issue for npm audit fix commits

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/50499

• Created at 2019-07-15 23:36:31 by spichugi (@droideck)
• Assigned to nobody

---

Issue Description

New vulnerabilities can arise from time to time in npm audit reports and they should be addressed by running npm audit fix. Sometimes it can require manual intrusion.

The PRs can be linked to this issue.

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-07-16 00:47:14

3556

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-07-16 00:47:15

Metadata Update from @droideck:

• Custom field origin adjusted to None
• Custom field reviewstatus adjusted to None

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-08-08 17:26:06

Metadata Update from @mreynolds389:

• Issue set to the milestone: FUTURE

[389-ds-bot]

Comment from vashirov (@vashirov) at 2019-08-23 09:53:49

NPM audit report JSON:
{
  "actions": [
    {
      "action": "update",
      "resolves": [
        {
          "id": 1118,
          "path": "eslint>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-plugin-es>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "eslint-utils",
      "target": "1.4.2",
      "depth": 3
    }
  ],
  "advisories": {
    "1118": {
      "findings": [
        {
          "version": "1.3.1",
          "paths": [
            "eslint>eslint-utils",
            "eslint-plugin-node>eslint-plugin-es>eslint-utils",
            "eslint-plugin-node>eslint-utils"
          ]
        }
      ],
      "id": 1118,
      "created": "2019-08-20T15:17:53.538Z",
      "updated": "2019-08-22T18:54:18.136Z",
      "deleted": null,
      "title": "Arbitrary Code Execution",
      "found_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "reported_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "module_name": "eslint-utils",
      "cves": [],
      "vulnerable_versions": ">=1.2.0 <1.4.1",
      "patched_versions": ">=1.4.1",
      "overview": "Versions of `eslint-utils` >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The `getStaticValue` does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The `getStringIfConstant` and `getPropertyName` functions are not affected.",
      "recommendation": "Upgrade to version 1.4.1 or later.",
      "references": "- [ESLint release](https://eslint.org/blog/2019/08/eslint-v6.2.1-released)\n- [eslint-utils advisory](https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3)",
      "access": "public",
      "severity": "critical",
      "cwe": "CWE-94",
      "metadata": {
        "module_type": "",
        "exploitability": 3,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1118"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 0,
      "critical": 3
    },
    "dependencies": 2883,
    "devDependencies": 7047,
    "optionalDependencies": 280,
    "totalDependencies": 10113
  },
  "runId": "1dbb03fb-3b04-452f-8254-4440e9691b7b"
}
Failed security audit due to critical vulnerabilities.
Exiting...
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! 389-console@1.0.0 audit-ci: `audit-ci --config audit-ci.json`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the 389-console@1.0.0 audit-ci script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2019-08-23T07_50_04_578Z-debug.log

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-08-23 10:17:33

3616

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-09-27 23:25:01

Commit 2e85b4a3 relates to this ticket

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-09-27 23:26:45

Fixes npm "handlebar" audit alert

Commit 2e85b4a relates to this ticket

67d69bf61..4f84db6ed 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-11-04 22:18:19

Commit 5202ad8b relates to this ticket

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-11-04 22:24:02

Fixes npm "handlebar" audit alert - again

129914357..5202ad8b2 master -> master 9c210f7e1..49c704481 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-11-15 17:04:44

Commit b1d67c11 relates to this ticket

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-11-20 12:21:19

Commit 9f475988 relates to this ticket

[389-ds-bot]

Comment from vashirov (@vashirov) at 2019-12-11 16:02:58

Commit 80e0ce24 relates to this ticket a9fa0add3..d61990570 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

[389-ds-bot]

Comment from spichugi (@droideck) at 2020-03-09 22:46:50

Commit a66fe152 relates to this ticket

[389-ds-bot]

Comment from spichugi (@droideck) at 2020-03-09 22:50:06

bf8b4af68..a66fe1526 master -> master 74046abb8..1cda41b8a 389-ds-base-1.4.1 -> 389-ds-base-1.4.1 610d2f5c6..88b5cd3d0 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

[389-ds-bot]

Comment from vashirov (@vashirov) at 2020-03-18 08:48:31

@droideck, nightly build failed due to https://www.npmjs.com/advisories/1179

    "vulnerabilities": {                                                                                                                          
      "info": 0,                                                                                                                                  
      "low": 0,                                                                                                                                   
      "moderate": 126,                                                                                                                            
      "high": 0,                                                                                                                                  
      "critical": 0                                                                                                                               
    }, 

Could you please take a look?

[389-ds-bot]

Comment from vashirov (@vashirov) at 2020-03-19 11:19:03

The build now works, since the vulnerability got lower severity, but it still needs to be fixed.

    "vulnerabilities": {
      "info": 0,
      "low": 126,
      "moderate": 0,
      "high": 0,
      "critical": 0
    },

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-04-24 17:02:07

Fixed latest audit issues, updated existing npm packages, and removed unused packages...

4102

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-04-24 18:38:14

Commit 53e9d9f9 relates to this ticket

[389-ds-bot]

Comment from vashirov (@vashirov) at 2020-05-14 08:58:13

Nightly build failed due to npm audit ci:

    "vulnerabilities": {
      "info": 0,
      "low": 8,
      "moderate": 17,
      "high": 0,
      "critical": 0
    },

https://npmjs.com/advisories/1500 https://npmjs.com/advisories/1518

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-05-15 16:06:39

Commit 9afa6694 relates to this ticket

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-05-15 16:08:41

Commit 9afa669 relates to this ticket

d3ae07a8d..d4118370a 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

703d85749..14c7a3c89 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

41e0f4bc2..62cc505f2 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

[389-ds-bot]

Comment from vashirov (@vashirov) at 2020-05-27 12:27:16

Another one https://www.npmjs.com/advisories/1522 (high)

[mreynolds389]

b6d8de51f..f5b2cfb35 master -> master 66bbfee82..e3104967d 389-ds-base-1.4.4 -> 389-ds-base-1.4.4 45b370d5c..e83500b13 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

[droideck]

dc565fdac..c18a14d96 main -> origin/main 949a8fb14..4a78dfdd0 389-ds-base-2.2 -> 389-ds-base-2.2 510274c32..fe028fd58 389-ds-base-2.1 -> 389-ds-base-2.1 52c88fa9c..4dee31f87 389-ds-base-2.0 -> 389-ds-base-2.0 fcfa9a402..e882746f2 389-ds-base-1.4.4 -> 389-ds-base-1.4.4 3114f52f7..b9226a28b 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

[droideck]

a4561f4c1..e568180d1 389-ds-base-1.4.3 -> 389-ds-base-1.4.3 e07780678..65bcca75a 389-ds-base-2.0 -> 389-ds-base-2.0 cccc9ef4a..1cdd011eb 389-ds-base-2.1 -> 389-ds-base-2.1 48834f141..7fbf7bbbd 389-ds-base-2.2 -> 389-ds-base-2.2 a8f062ef9..9e6979e31 389-ds-base-2.3 -> 389-ds-base-2.3

[droideck]

9a782144d..176b5b559 389-ds-base-2.3 -> 389-ds-base-2.3 4285cee19..f62be2526 389-ds-base-2.2 -> 389-ds-base-2.2 64bdd6d1f..68334000d 389-ds-base-2.1 -> 389-ds-base-2.1 fe7d7dfa8..2aac04b86 389-ds-base-2.0 -> 389-ds-base-2.0 dc743d0b0..2ded1971d 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

[droideck]

651d44ff1..2bd4534d1 389-ds-base-2.5 -> 389-ds-base-2.5 a7dda32f7..ca252e8ee 389-ds-base-2.4 -> 389-ds-base-2.4 5016907af..b6c65f857 389-ds-base-2.3 -> 389-ds-base-2.3 9c61eab66..d1a24ff71 389-ds-base-2.2 -> 389-ds-base-2.2 7103aea66..c8810ccd2 389-ds-base-2.1 -> 389-ds-base-2.1 89d592856..2dc008ed6 389-ds-base-2.0 -> 389-ds-base-2.0 be7c2b829..0577a1195 389-ds-base-1.4.3 -> 389-ds-base-1.4.3

[droideck]

b3b72a333..812d058e5 389-ds-base-3.0 -> 389-ds-base-3.0 776f0e253..4de8658f0 389-ds-base-2.5 -> 389-ds-base-2.5 7bdd19c38..593fabaa9 389-ds-base-2.4 -> 389-ds-base-2.4 ebdbf2e3d..2b06fd210 389-ds-base-2.3 -> 389-ds-base-2.3 e11fb32a8..0a3eeac6e 389-ds-base-2.2 -> 389-ds-base-2.2 66550f03d..b6523e37e 389-ds-base-2.1 -> 389-ds-base-2.1 27daab136..4a13e4d7b 389-ds-base-2.0 -> 389-ds-base-2.0 0c184e168..09fb5006c 389-ds-base-1.4.3 -> 389-ds-base-1.4.3