search

MobilityData / gbfs-validator

The canonical GBFS validator. Maintained by the GBFS community, facilitated by MobilityData.
https://gbfs-validator.mobilitydata.org/
Apache License 2.0
18 stars 12 forks source link

Major issue with static-server #134

Closed fredericsimard closed 12 months ago

fredericsimard commented 1 year ago

@davidgamez @josee-sabourin

A dependabot alert was issued for all versions 2.2.1 and below of the static-server:

https://github.com/advisories/GHSA-v834-rhv4-65m3/dependabot?query=user%3AMobilityData

Used here:

  1. https://github.com/MobilityData/gbfs-validator/blob/58b85a8f0420d33d67db8652220c7267ffcbe29a/yarn.lock#L8475
  2. https://github.com/MobilityData/gbfs-validator/blob/58b85a8f0420d33d67db8652220c7267ffcbe29a/yarn.lock#L10412
  3. https://github.com/MobilityData/gbfs-validator/blob/58b85a8f0420d33d67db8652220c7267ffcbe29a/yarn.lock#L10414

The issue is that 2.2.1 is the latest version and it has not been updated in 6 years: https://www.npmjs.com/package/static-server

richfab commented 1 year ago

Thank you Fred. I don't see static-server being imported by any of the files in this repo. Does anyone know if static-server is being used?

davidgamez commented 1 year ago

It looks like the netlify-cli uses it; it's probably to run the server locally. 

yarn why v1.22.19
[1/4] 🤔  Why do we have the module "static-server"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "static-server@2.2.1"
info Reasons this module exists
   - "_project_#netlify-cli" depends on it
   - Hoisted from "_project_#netlify-cli#static-server"
fredericsimard commented 1 year ago

The severity is reasonably high (7.5/10 I believe), and there are presumably no updates coming... so either fixing the possible future breaches is attempted or the app needs to be rewritten without the offending code... unless I'm missing something?

richfab commented 1 year ago

This is beyond my knowledge. I'd appreciate it if someone can help. Thank you!

testower commented 1 year ago

The version of netlify-cli used by gbfs-validator uses static-server in development mode probably to run the server locally as pointed out by @davidgamez https://github.com/netlify/cli/blob/ca1c17fea2e8c98e4fe1fda5c6c2fb663fe46ed7/src/commands/dev/dev.js#L10

This should in and of itself be completely safe and nobody needs to worry about it.

That said, netlify-cli has gotten rid of it in later versions - and the latest version is 5 major version upgrades from the one currently used by gbfs-validator. So it's probably not a bad idea to upgrade it.

fredericsimard commented 1 year ago

@testower Alright, thanks for your informed input. I'm satisfied. @davidgamez should we close this issue?

davidgamez commented 1 year ago

@fredericsimard, I see no harm in updating the package, as mentioned by @testower. I think we should keep it open and address it with lower priority.