Closed tloubrieu-jpl closed 1 year ago
@tloubrieu-jpl
Running npm audit fix will fix 6 moderate, 1 high and 1 critical
All the left overs are caused by one react dependency: react-scripts@5.0.1
, which is a breaking change.
This one update will break react and all the remaining dependencies and the doi-ui. They need to be fixed by the dependency's developers.
Also just some more details about the vulnerabilities. The vulnerabilities are on the tool side. Not exactly on the built code side. So deployed versions would not have all these vulnerabilities exposed. However without reading into each individual dependency's code we wouldn’t be able to tell.
🕐 Updated dependencies to remove most of the vulnerabilities
Re-opened because of I&T of build 13.0
These vulnerabilities are related to the build process but once the application is build these vulnerabilities are not in the online application.
We (dev team ) need to provide a better way to asses the security of the application for the I&T team to test.
@tloubrieu-jpl which Node/NPM version are we using for this repo?
@eddiesarevalo can you answer Miguel ? Thanks
@eddiesarevalo answered my question in today's breakout: npm -v 8.19.3 node -v v19.1.0
@eddiesarevalo @tloubrieu-jpl running npm install
yields 31 vulnerabilities (1 low, 1 moderate, 20 high, 9 critical):
node -v ─╯
v19.1.0
npm -v ─╯
8.19.3
npm install
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated rollup-plugin-terser@5.3.1: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-terser
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated flatten@1.0.3: flatten is deprecated in favor of utility frameworks such as lodash.
npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin.
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated @material-ui/core@4.12.3: You can now upgrade to @mui/material. See the guide: https://mui.com/guides/migration-v4/
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
added 2034 packages, and audited 2035 packages in 1m
187 packages are looking for funding
run npm fund for details
31 vulnerabilities (1 low, 1 moderate, 20 high, 9 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
thanks @miguelp1986 , @eddiesarevalo should we run npm audit fix
so that the critical vulnerability occurring in the build phase (and which do not apply when the application is deployed) do not show anymore ?
@tloubrieu-jpl Yes, you can run npm audit fix often and then do quick testing to see if it still runs and builds. The audit will apply fixes that are available but it won't fix anything if none are available.
@eddiesarevalo @tloubrieu-jpl npm audix fix
didn't fix the issue:
npm audit fix
added 1 package, removed 3 packages, changed 4 packages, and audited 2035 packages in 4s
189 packages are looking for funding
run `npm fund` for details
# npm audit report
ansi-html <0.0.8
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/ansi-html
@pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6
Depends on vulnerable versions of ansi-html
node_modules/@pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of @svgr/webpack
Depends on vulnerable versions of optimize-css-assets-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
Depends on vulnerable versions of workbox-webpack-plugin
node_modules/react-scripts
webpack-dev-server 2.0.0-beta - 4.7.2
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of selfsigned
node_modules/webpack-dev-server
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix`
node_modules/react-dev-utils/node_modules/browserslist
react-dev-utils 0.5.2 - 12.0.0-next.60
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of immer
Depends on vulnerable versions of loader-utils
Depends on vulnerable versions of recursive-readdir
Depends on vulnerable versions of shell-quote
node_modules/react-dev-utils
ejs <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/ejs
@surma/rollup-plugin-off-main-thread <=2.1.0
Depends on vulnerable versions of ejs
node_modules/@surma/rollup-plugin-off-main-thread
workbox-build 5.0.0-alpha.0 - 6.3.0
Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
node_modules/workbox-build
workbox-webpack-plugin 5.0.0-alpha.0 - 5.1.4 || 6.2.2 - 6.3.0
Depends on vulnerable versions of workbox-build
node_modules/workbox-webpack-plugin
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
immer <=9.0.5
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-c36v-fmgq-m8hx
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
fix available via `npm audit fix`
node_modules/react-dev-utils/node_modules/immer
loader-utils 2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
fix available via `npm audit fix`
node_modules/loader-utils
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/recursive-readdir/node_modules/minimatch
recursive-readdir 1.2.0 - 2.2.2
Depends on vulnerable versions of minimatch
node_modules/recursive-readdir
node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/node-forge
selfsigned 1.1.1 - 1.10.14
Depends on vulnerable versions of node-forge
node_modules/selfsigned
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@5.0.1, which is a breaking change
node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
shell-quote <=1.7.2
Severity: critical
Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7
fix available via `npm audit fix`
node_modules/shell-quote
xlsx *
Severity: high
Prototype Pollution in sheetJS - https://github.com/advisories/GHSA-4r6h-8v6p-xvw6
No fix available
node_modules/xlsx
32 vulnerabilities (1 low, 1 moderate, 21 high, 9 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
npm install ─╯
up to date, audited 2035 packages in 1s
189 packages are looking for funding
run `npm fund` for details
32 vulnerabilities (1 low, 1 moderate, 21 high, 9 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
npm start ─╯
> @nasa_pds/pds-doi-ui@1.0.0 start
> react-scripts start
ℹ 「wds」: Project is running at http://0.0.0.0:3000/
ℹ 「wds」: webpack output is served from
ℹ 「wds」: Content not from webpack is served from /Users/MPena/repositories/doi-ui/public
ℹ 「wds」: 404s will fallback to /
Starting the development server...
Browserslist: caniuse-lite is outdated. Please run:
npx update-browserslist-db@latest
Why you should do it regularly: https://github.com/browserslist/update-db#readme
/Users/MPena/repositories/doi-ui/node_modules/react-scripts/scripts/start.js:19
throw err;
^
Error: error:0308010C:digital envelope routines::unsupported
at new Hash (node:internal/crypto/hash:71:19)
at Object.createHash (node:crypto:140:10)
at module.exports (/Users/MPena/repositories/doi-ui/node_modules/webpack/lib/util/createHash.js:135:53)
at NormalModule._initBuildHash (/Users/MPena/repositories/doi-ui/node_modules/webpack/lib/NormalModule.js:417:16)
at /Users/MPena/repositories/doi-ui/node_modules/webpack/lib/NormalModule.js:452:10
at /Users/MPena/repositories/doi-ui/node_modules/webpack/lib/NormalModule.js:323:13
at /Users/MPena/repositories/doi-ui/node_modules/loader-runner/lib/LoaderRunner.js:367:11
at /Users/MPena/repositories/doi-ui/node_modules/loader-runner/lib/LoaderRunner.js:233:18
at context.callback (/Users/MPena/repositories/doi-ui/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
at /Users/MPena/repositories/doi-ui/node_modules/babel-loader/lib/index.js:59:103 {
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
}
Node.js v19.1.0
🐛 Describe the bug
Some critical/high vulnerabilities shows when one build the application.
📜 To Reproduce
Steps to reproduce the behavior:
Run
npm install
See output:
🕵️ Expected behavior
There should not be critical or high vulnerabilities.
📚 Version of Software Used
🩺 Test Data / Additional context
🏞Screenshots
🖥 System Info
🦄 Related requirements
⚙️ Engineering Details