search

BrowserSync / browser-sync

Keep multiple browsers & devices in sync when building websites. https://browsersync.io
https://discord.gg/2d2xUThp
Apache License 2.0
12.19k stars 757 forks source link

Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086

Closed sdavids closed 2 months ago

sdavids commented 2 months ago 
$ mkdir /tmp/test && cd "$_"
$ npm i --save-dev browser-sync@3.0.2
$ npm audit
# npm audit report

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install browser-sync@2.26.2, which is a breaking change
node_modules/send
  browser-sync  >=2.12.1
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/browser-sync
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
max-holland commented 2 months ago

+1

yokoishioka commented 2 months ago

I just submitted a PR for this and to resolve the one for sever-static as well: https://github.com/BrowserSync/browser-sync/pull/2087

rmch91 commented 2 months ago

+1

shakyShane commented 2 months ago

I'll sort this later today, thanks :)

rmch91 commented 2 months ago

Hello, any updates on this?

shakyShane commented 2 months ago

https://github.com/BrowserSync/browser-sync/pull/2088

shakyShane commented 2 months ago

browser-sync@3.0.3

sdavids commented 2 months ago

Not mentioned here:

https://github.com/BrowserSync/browser-sync/releases

nor here:

https://github.com/BrowserSync/browser-sync/blob/master/CHANGELOG.md

sdavids commented 2 months ago

If the CHANGELOG is obsolete then it should be mentioned in the file's header.

sdavids commented 2 months ago

On a side note:

Not publishing proper changes opens the door to supply-chain attacks, cf. xz fiasco.

shakyShane commented 2 months ago

https://github.com/BrowserSync/browser-sync/releases/tag/v3.0.3

Not publishing proper changes opens the door to supply-chain attacks, cf. xz fiasco.

Can you explain your concern a little further? In terms of publishing this package to npm - I still do it manually to this day exactly so I can be sure what goes into each - but perhaps you're talking about some other angle?

sdavids commented 2 months ago

I guess

https://github.com/BrowserSync/browser-sync/blob/135982106b0df9e862f63d6a8e81424c495fffba/packages/browser-sync/package.json#L71

could be deleted as well then.

sdavids commented 2 months ago

What I mentioned was:

There is a new version published to NPM and one cannot find any release notes/change log.

Reading the release notes should be the minimum one does before upgrading.

But some people do not care or use non-pinned versions 🤷

Maybe you might want to use provenance in the future:

https://docs.npmjs.com/searching-for-and-choosing-packages-to-download#package-provenance

https://docs.npmjs.com/generating-provenance-statements

https://jsr.io/docs/trust

sdavids commented 2 months ago 
$ npm audit signatures

is useless in a way though.

Unless you use ignore-scripts with npm i, ideally in your global .npmrc:

ignore-scripts=true