CumulusDS / dlq

CLI tool to manipulate AWS Dead Letter Queues
MIT License
1 stars 2 forks source link

resolve Prototype Pollution in yargs-parser (GHSA-p9pc-299p-vxgp) & regex DoS in glob-parent (GHSA-ww39-953v-wcq6) #40

Closed jeffsays closed 3 years ago

jeffsays commented 3 years ago

Summary

What does this PR do?

transitive dependencies blocking dependabot ``` flow-copy-source@2.0.9 requires yargs-parser@^16.1.0 via a transitive dependency on yargs@15.0.2 flow-coverage-report@0.8.0 requires yargs-parser@^20.2.2 via a transitive dependency on yargs@16.2.0 ```

Fixing disappearing transitive dependencies

auditing caused some transitive dependencies to disappear, as their dependent packages no longer relied on them. this broke testing. re-added manually as devDepenencies to fix testing:

full list - `jmespath` - `xml2js`

security risks fixed

old

yargs-parser ```zsh yarn why v1.22.5 [1/4] πŸ€” Why do we have the module "yargs-parser"...? [2/4] 🚚 Initialising dependency graph... [3/4] πŸ” Finding dependency... [4/4] 🚑 Calculating file sizes... => Found "yargs-parser@18.1.3" info Reasons this module exists - "yargs" depends on it - Hoisted from "yargs#yargs-parser" info Disk size without dependencies: "92KB" info Disk size with unique dependencies: "128KB" info Disk size with transitive dependencies: "128KB" info Number of shared dependencies: 2 => Found "flow-copy-source#yargs-parser@16.1.0" info Reasons this module exists - "flow-copy-source#yargs" depends on it - Hoisted from "flow-copy-source#yargs#yargs-parser" => Found "flow-coverage-report#yargs-parser@20.2.7" info Reasons this module exists - "flow-coverage-report#yargs" depends on it - Hoisted from "flow-coverage-report#yargs#yargs-parser" info Disk size without dependencies: "156KB" info Disk size with unique dependencies: "156KB" info Disk size with transitive dependencies: "156KB" info Number of shared dependencies: 0 ✨ Done in 0.63s. ```
glob-parent ```zsh yarn why v1.22.5 [1/4] πŸ€” Why do we have the module "glob-parent"...? [2/4] 🚚 Initialising dependency graph... [3/4] πŸ” Finding dependency... [4/4] 🚑 Calculating file sizes... => Found "glob-parent@5.1.1" info Has been hoisted to "glob-parent" info Reasons this module exists - Hoisted from "eslint#glob-parent" - Hoisted from "flow-coverage-report#flow-annotation-check#eslint#glob-parent" info Disk size without dependencies: "28KB" info Disk size with unique dependencies: "48KB" info Disk size with transitive dependencies: "64KB" info Number of shared dependencies: 2 => Found "chokidar#glob-parent@3.1.0" info This module exists because "@babel#cli#chokidar" depends on it. => Found "flow-copy-source#glob-parent@5.1.0" info Reasons this module exists - "flow-copy-source#chokidar" depends on it - Hoisted from "flow-copy-source#chokidar#glob-parent" ✨ Done in 0.60s. ```

fixed

glob-parent ```zsh yarn why v1.22.5 [1/4] πŸ€” Why do we have the module "glob-parent"...? [2/4] 🚚 Initialising dependency graph... [3/4] πŸ” Finding dependency... [4/4] 🚑 Calculating file sizes... => Found "glob-parent@5.1.2" info Reasons this module exists - "eslint" depends on it - Hoisted from "eslint#glob-parent" - Hoisted from "flow-copy-source#chokidar#glob-parent" - Hoisted from "flow-coverage-report#flow-annotation-check#eslint#glob-parent" info Disk size without dependencies: "28KB" info Disk size with unique dependencies: "48KB" info Disk size with transitive dependencies: "64KB" info Number of shared dependencies: 1 ✨ Done in 0.75s. ```
yargs-parser ```zsh yarn why v1.22.5 [1/4] πŸ€” Why do we have the module "yargs-parser"...? [2/4] 🚚 Initialising dependency graph... [3/4] πŸ” Finding dependency... [4/4] 🚑 Calculating file sizes... => Found "yargs-parser@18.1.3" info Reasons this module exists - "yargs" depends on it - Hoisted from "yargs#yargs-parser" info Disk size without dependencies: "92KB" info Disk size with unique dependencies: "128KB" info Disk size with transitive dependencies: "128KB" info Number of shared dependencies: 2 => Found "flow-coverage-report#yargs-parser@20.2.7" info Reasons this module exists - "flow-coverage-report#yargs" depends on it - Hoisted from "flow-coverage-report#yargs#yargs-parser" info Disk size without dependencies: "156KB" info Disk size with unique dependencies: "156KB" info Disk size with transitive dependencies: "156KB" info Number of shared dependencies: 0 ✨ Done in 0.66s. ```
github-actions[bot] commented 3 years ago

yarn.lock changes

Summary

Status Count
UPDATED 11
DOWNGRADED 13
REMOVED 19
Click to toggle table visibility
| Name | Status | Previous | Current | | :- | :-: | :-: | :-: | | `@babel/core` | [UPDATED](#) | 7.7.4 | 7.10.5 | | `@babel/generator` | [UPDATED](#) | 7.5.5 | 7.13.16 | | `@babel/helper-function-name` | [DOWNGRADED](#) | 7.12.13 | 7.10.4 | | `@babel/parser` | [UPDATED](#) | 7.5.5 | 7.12.7 | | `@babel/traverse` | [DOWNGRADED](#) | 7.13.17 | 7.10.5 | | `@babel/types` | [UPDATED](#) | 7.5.5 | 7.12.7 | | `ajv` | [UPDATED](#) | 6.10.2 | 6.12.0 | | `async-each` | [REMOVED](#) | 1.0.3 | - | | `babel-eslint` | [DOWNGRADED](#) | 10.1.0 | 10.0.3 | | `base64-js` | [REMOVED](#) | 1.3.1 | - | | `bindings` | [REMOVED](#) | 1.5.0 | - | | `buffer` | [REMOVED](#) | 4.9.2 | - | | `color-name` | [DOWNGRADED](#) | 1.1.4 | 1.1.3 | | `css-tree` | [DOWNGRADED](#) | 1.1.3 | 1.0.0-alpha.37 | | `doctrine` | [DOWNGRADED](#) | 3.0.0 | 1.5.0 | | `domelementtype` | [DOWNGRADED](#) | 2.2.0 | 1.3.1 | | `es-abstract` | [UPDATED](#) | 1.11.0 | 1.18.0 | | `eslint` | [DOWNGRADED](#) | 6.8.0 | 6.7.1 | | `events` | [REMOVED](#) | 1.1.1 | - | | `extsprintf` | [DOWNGRADED](#) | 1.4.0 | 1.3.0 | | `file-uri-to-path` | [REMOVED](#) | 1.0.0 | - | | `fsevents` | [REMOVED](#) | 2.1.2 | - | | `glob-parent` | [UPDATED](#) | 5.1.0 | 5.1.2 | | `glob` | [UPDATED](#) | 7.1.4 | 7.1.6 | | `growly` | [REMOVED](#) | 1.3.0 | - | | `ieee754` | [REMOVED](#) | 1.1.13 | - | | `is-docker` | [REMOVED](#) | 2.0.0 | - | | `is-wsl` | [REMOVED](#) | 2.2.0 | - | | `ms` | [DOWNGRADED](#) | 2.1.2 | 2.0.0 | | `nan` | [REMOVED](#) | 2.14.0 | - | | `node-notifier` | [REMOVED](#) | 8.0.1 | - | | `object-keys` | [UPDATED](#) | 1.1.0 | 1.1.1 | | `path-dirname` | [REMOVED](#) | 1.0.2 | - | | `querystring` | [REMOVED](#) | 0.2.0 | - | | `resolve` | [UPDATED](#) | 1.7.1 | 1.17.0 | | `rimraf` | [DOWNGRADED](#) | 3.0.2 | 2.7.1 | | `sax` | [DOWNGRADED](#) | 1.2.4 | 1.2.1 | | `shellwords` | [REMOVED](#) | 0.1.1 | - | | `trim-right` | [REMOVED](#) | 1.0.1 | - | | `upath` | [REMOVED](#) | 1.2.0 | - | | `url` | [REMOVED](#) | 0.10.3 | - | | `uuid` | [DOWNGRADED](#) | 8.3.2 | 3.3.3 | | `xmlbuilder` | [UPDATED](#) | 9.0.7 | 11.0.1 |
github-actions[bot] commented 3 years ago

βœ…dependabot config looks good πŸ‘