FriendsOfSymfony / FOSJsRoutingBundle

A pretty nice way to expose your Symfony routing to client applications.
1.48k stars 262 forks source link

High Vulnerability found after install FOSJsRoutingBundle #485

Open M-Arthur opened 4 months ago

M-Arthur commented 4 months ago

Description

I followed the below official docs to install the FOSJsRoutingBundle with Symfony Webencore. https://github.com/FriendsOfSymfony/FOSJsRoutingBundle/blob/master/Resources/doc/installation.rst#step-5-if-you-are-using-webpack-install-the-npm-package-locally

However, I received the following vulnerability warning in npm audit and docker scanning.

Could you please help me have a look and let me know how to resolve the issue? Thanks

NPM Audit Report

# npm audit report
braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install gulp@5.0.0, which is a breaking change
node_modules/braces
  chokidar  1.3.0 - 2.1.8
  Depends on vulnerable versions of anymatch
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of readdirp
  node_modules/chokidar
    glob-watcher  5.0.0 - 5.0.5
    Depends on vulnerable versions of anymatch
    Depends on vulnerable versions of chokidar
    node_modules/glob-watcher
      gulp  4.0.0 - 4.0.2
      Depends on vulnerable versions of glob-watcher
      Depends on vulnerable versions of gulp-cli
      node_modules/gulp
  micromatch  0.2.0 - 3.1.10
  Depends on vulnerable versions of braces
  node_modules/micromatch
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/anymatch
    findup-sync  0.4.0 - 3.0.0
    Depends on vulnerable versions of micromatch
    node_modules/findup-sync
    node_modules/matchdep/node_modules/findup-sync
      liftoff  2.2.3 - 3.1.0
      Depends on vulnerable versions of findup-sync
      node_modules/liftoff
        gulp-cli  1.3.0 - 2.3.0
        Depends on vulnerable versions of liftoff
        Depends on vulnerable versions of matchdep
        node_modules/gulp-cli
      matchdep  >=1.0.1
      Depends on vulnerable versions of findup-sync
      Depends on vulnerable versions of micromatch
      node_modules/matchdep
    readdirp  2.2.0 - 2.2.1
    Depends on vulnerable versions of micromatch
    node_modules/readdirp

11 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

NPM Why

braces@2.3.2 dev
node_modules/braces
  braces@"^2.3.2" from chokidar@2.1.8
  node_modules/chokidar
    chokidar@"^2.0.0" from glob-watcher@5.0.5
    node_modules/glob-watcher
      glob-watcher@"^5.0.3" from gulp@4.0.2
      node_modules/gulp
        dev gulp@"^4.0.2" from fos-router@2.5.0
        vendor/friendsofsymfony/jsrouting-bundle/Resources
          fos-router@2.5.0
          node_modules/fos-router
            dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
  braces@"^2.3.1" from micromatch@3.1.10
  node_modules/micromatch
    micromatch@"^3.1.4" from anymatch@2.0.0
    node_modules/anymatch
      anymatch@"^2.0.0" from chokidar@2.1.8
      node_modules/chokidar
        chokidar@"^2.0.0" from glob-watcher@5.0.5
        node_modules/glob-watcher
          glob-watcher@"^5.0.3" from gulp@4.0.2
          node_modules/gulp
            dev gulp@"^4.0.2" from fos-router@2.5.0
            vendor/friendsofsymfony/jsrouting-bundle/Resources
              fos-router@2.5.0
              node_modules/fos-router
                dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
      anymatch@"^2.0.0" from glob-watcher@5.0.5
      node_modules/glob-watcher
        glob-watcher@"^5.0.3" from gulp@4.0.2
        node_modules/gulp
          dev gulp@"^4.0.2" from fos-router@2.5.0
          vendor/friendsofsymfony/jsrouting-bundle/Resources
            fos-router@2.5.0
            node_modules/fos-router
              dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
    micromatch@"^3.0.4" from findup-sync@3.0.0
    node_modules/findup-sync
      findup-sync@"^3.0.0" from liftoff@3.1.0
      node_modules/liftoff
        liftoff@"^3.1.0" from gulp-cli@2.3.0
        node_modules/gulp-cli
          gulp-cli@"^2.2.0" from gulp@4.0.2
          node_modules/gulp
            dev gulp@"^4.0.2" from fos-router@2.5.0
            vendor/friendsofsymfony/jsrouting-bundle/Resources
              fos-router@2.5.0
              node_modules/fos-router
                dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
    micromatch@"^3.0.4" from matchdep@2.0.0
    node_modules/matchdep
      matchdep@"^2.0.0" from gulp-cli@2.3.0
      node_modules/gulp-cli
        gulp-cli@"^2.2.0" from gulp@4.0.2
        node_modules/gulp
          dev gulp@"^4.0.2" from fos-router@2.5.0
          vendor/friendsofsymfony/jsrouting-bundle/Resources
            fos-router@2.5.0
            node_modules/fos-router
              dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
    micromatch@"^3.0.4" from findup-sync@2.0.0
    node_modules/matchdep/node_modules/findup-sync
      findup-sync@"^2.0.0" from matchdep@2.0.0
      node_modules/matchdep
        matchdep@"^2.0.0" from gulp-cli@2.3.0
        node_modules/gulp-cli
          gulp-cli@"^2.2.0" from gulp@4.0.2
          node_modules/gulp
            dev gulp@"^4.0.2" from fos-router@2.5.0
            vendor/friendsofsymfony/jsrouting-bundle/Resources
              fos-router@2.5.0
              node_modules/fos-router
                dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
    micromatch@"^3.1.10" from readdirp@2.2.1
    node_modules/readdirp
      readdirp@"^2.2.1" from chokidar@2.1.8
      node_modules/chokidar
        chokidar@"^2.0.0" from glob-watcher@5.0.5
        node_modules/glob-watcher
          glob-watcher@"^5.0.3" from gulp@4.0.2
          node_modules/gulp
            dev gulp@"^4.0.2" from fos-router@2.5.0
            vendor/friendsofsymfony/jsrouting-bundle/Resources
              fos-router@2.5.0
              node_modules/fos-router
                dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
RobertWesner commented 1 month ago

I was able to fix this by adding following overrides:

{
    "dependencies": {
        ...
    },
    "overrides": {
        "gulp": "5.0.1",
        "braces": "latest",
        "micromatch": "latest"
    }
}

You may want to add specific versions rather than "latest". This solves the fixed dependencies causing these vulnerabilities until they are updated.