Browsersync has some vulnerabilities due to localtunnel and axios dependency

[classicmike]

Issue details

Just ran an npm audit and it's listing a couple of vulnerabilities related to Browsersync and its dependencies, namely localtunnel which depends on a version of axios which has apparently got some vulerabilities.

Here is the link the the vulnerability report: Axios Vulnerability Report

Axios had a fix which updated in the last few days.

Normally, this would be a straight forward task by upgrading localtunnel, which if it is still actively maintained would've got a version to fix. However it doesn't seem like it's being actively maintained.

A few questions:

• Is browsersync still being maintained?
• Are we able to get a version of browsersync which fixes this by either:
  1. Fixing localtunnel's vulnerabilities
  2. Removing localtunnel and installing something equivalent in behaviour?

Thanks.

Please specify which version of Browsersync, node and npm you're running

• Browsersync [2.29.3]
• Node [20.6.1] - performed the audit on this version of node but could affect others.
• Npm [9.8.1] - performed the audit on this version of npm but could affect others.

Affected platforms

• [x] other (please specify which) - surely this audit issue would affect all OS's
• [ ] linux
• [ ] windows
• [ ] OS X
• [ ] freebsd
• [ ] solaris

Browsersync use-case

• [x] CLI
• [ ] API
• [ ] Gulp
• [ ] Grunt

If CLI, please paste the entire command below

npm audit or npm audit --fix

[sawilde]

Would it be possible to make localtunnel an optionalDependancy, it appears to be abandoned and I don't believe that many users/developers require the capabilities it enables?

[G-Rath]

Note that you mean an optional peer dependency - optionalDependencies is for dependencies that are OS dependent, so they'll still be installed by default if possible.

[sawilde]

@G-Rath you are right, thanks for the clarification (to be honest I have only read about them and never used them in anger so...)

• I am going to re-tinker again with my attempt :)

[sawilde]

optional peer dependancies would work here - thanks to @G-Rath for correcting my understanding here

Note my fork of browsersync highlightsa lot of potential security issues (dependabot) but none that I haven't already addressed in my own repositories

https://github.com/sawilde/browser-sync/pull/1

[classicmike]

In related news: Somebody has created a PR to patch the Axios package which can be found here: https://github.com/localtunnel/localtunnel/pull/633. I have sort of tried the upgrade and browser-sync doesn't seem to break. The only thing is that this PR hasn't been merged or doesn't seem to have a bump up to new version yet.

[sawilde]

@classicmike I don't think localtunnel is actively being maintained :(

[Venkatuidevloper]

Hello there..

Browser-sync - package has AXIOS vulnerability; is that addressed in the upcoming release? Link - Axios Vulnerability Report

[shakyShane]

yeah it's time to drop localtunnel, I'll do a 3.0 with it moved

[shakyShane]

fixed in https://github.com/BrowserSync/browser-sync/pull/2059

npm i browser-sync@3

:)

[sawilde]

Thankyou - I was about to make my own patched version of localtunnel (just planning on how I'd deploy it to npm) and then use overrides to swap it out

[shakyShane]

Yeah I was considering other ways, but since I assume this has very low usage I'd rather just prune the dep altogether. 👍🏻

[classicmike]

Thanks @shakyShane for the bump! :)

[sawilde]

For anyone wanting to still use localtunnel I have created a patched version and pushed it to npmjs

If you want to use it as a direct replacement for localtunnel and still use the --tunnel switch with browser-sync then you can add the following to your devDependancies

  "devDependencies" : {
    ...,
    "localtunnel": "https://registry.npmjs.org/@security-patched/localtunnel/-/localtunnel-2.0.2-secpatched.3.tgz",
    ...,
  }