Closed fredericsimard closed 12 months ago
Thank you Fred.
I don't see static-server
being imported by any of the files in this repo.
Does anyone know if static-server
is being used?
It looks like the netlify-cli uses it; it's probably to run the server locally.
yarn why v1.22.19
[1/4] 🤔 Why do we have the module "static-server"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
[4/4] 🚡 Calculating file sizes...
=> Found "static-server@2.2.1"
info Reasons this module exists
- "_project_#netlify-cli" depends on it
- Hoisted from "_project_#netlify-cli#static-server"
The severity is reasonably high (7.5/10 I believe), and there are presumably no updates coming... so either fixing the possible future breaches is attempted or the app needs to be rewritten without the offending code... unless I'm missing something?
This is beyond my knowledge. I'd appreciate it if someone can help. Thank you!
The version of netlify-cli used by gbfs-validator uses static-server in development mode probably to run the server locally as pointed out by @davidgamez https://github.com/netlify/cli/blob/ca1c17fea2e8c98e4fe1fda5c6c2fb663fe46ed7/src/commands/dev/dev.js#L10
This should in and of itself be completely safe and nobody needs to worry about it.
That said, netlify-cli has gotten rid of it in later versions - and the latest version is 5 major version upgrades from the one currently used by gbfs-validator. So it's probably not a bad idea to upgrade it.
@testower Alright, thanks for your informed input. I'm satisfied. @davidgamez should we close this issue?
@fredericsimard, I see no harm in updating the package, as mentioned by @testower. I think we should keep it open and address it with lower priority.
@davidgamez @josee-sabourin
A dependabot alert was issued for all versions 2.2.1 and below of the static-server:
https://github.com/advisories/GHSA-v834-rhv4-65m3/dependabot?query=user%3AMobilityData
Used here:
The issue is that 2.2.1 is the latest version and it has not been updated in 6 years: https://www.npmjs.com/package/static-server