Closed lsmith77 closed 3 months ago
So since https://www.npmjs.com/package/@microsoft/teams-manifest/v/0.1.3-alpha.e662467a1.0?activeTab=code the axios dependency has been removed. But no indication when we can expect a prod release.
That is not the only @microsoft/teams* package this repo has dependencies on that has the axios vulnerability. We are working with that team to take care of this soon, but it involves changes in a variety of place in order to be complete.
Thank you for responding as it is otherwise not possible to reach the relevant team.
partially fixed via https://github.com/OfficeDev/Office-Addin-Scripts/pull/826
@millerds from what I can tell there remains unsolved issues:
axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install office-addin-debugging@4.3.9, which is a breaking change
node_modules/@microsoft/teams-manifest/node_modules/axios
node_modules/@microsoft/teamsfx-api/node_modules/axios
node_modules/@microsoft/teamsfx-core/node_modules/axios
@microsoft/teams-manifest <=0.1.2
Depends on vulnerable versions of axios
node_modules/@microsoft/teams-manifest
@microsoft/teamsfx-api <=0.22.6
Depends on vulnerable versions of @microsoft/teams-manifest
Depends on vulnerable versions of axios
node_modules/@microsoft/teamsfx-api
@microsoft/teamsfx-core <=2.0.6
Depends on vulnerable versions of @microsoft/teamsfx-api
Depends on vulnerable versions of axios
node_modules/@microsoft/teamsfx-core
@microsoft/teamsfx-cli *
Depends on vulnerable versions of @microsoft/teamsfx-api
Depends on vulnerable versions of @microsoft/teamsfx-core
node_modules/@microsoft/teamsfx-cli
office-addin-dev-settings >=1.11.0
Depends on vulnerable versions of @microsoft/teamsfx-cli
node_modules/office-addin-dev-settings
office-addin-debugging >=4.3.10
Depends on vulnerable versions of office-addin-dev-settings
node_modules/office-addin-debugging
7 moderate severity vulnerabilities
ie. https://www.npmjs.com/package/@microsoft/teamsfx-cli?activeTab=dependencies depends on https://www.npmjs.com/package/@microsoft/teamsfx-core?activeTab=dependencies which in turn depends vulnerable versions of axios
https://www.npmjs.com/package/@microsoft/teamsfx-core?activeTab=code
You are correct . . . only some of the vulnerabilities have been fixed . . . still working that that team to have their things fixed.
looks like the latest beta releases finally address this https://www.npmjs.com/package/@microsoft/teamsfx-core/v/2.0.7-beta.2024012307.0?activeTab=code
Looks promising . . . now we just need to see the core cli package take a dependency on a shipped 2.0.7 package.
sigh .. still no 2.0.7 release :-/
I believe it's fixed now.
well ...
# npm audit report
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/@azure/identity/node_modules/axios
node_modules/@azure/msal-node/node_modules/axios
node_modules/@microsoft/teams-manifest/node_modules/axios
node_modules/@microsoft/teamsfx-api/node_modules/axios
node_modules/@microsoft/teamsfx-cli/node_modules/axios
node_modules/@microsoft/teamsfx-core/node_modules/axios
@azure/identity 1.2.0-alpha.20200903.1 - 2.0.0-beta.6
Depends on vulnerable versions of @azure/msal-node
Depends on vulnerable versions of axios
node_modules/@azure/identity
@microsoft/teamsfx-cli <=2.0.2-rc-hotfix.0 || >=2.0.3-alpha.313138833.0
Depends on vulnerable versions of @azure/core-http
Depends on vulnerable versions of @azure/identity
Depends on vulnerable versions of @microsoft/teamsfx-api
Depends on vulnerable versions of @microsoft/teamsfx-core
Depends on vulnerable versions of axios
node_modules/@microsoft/teamsfx-cli
office-addin-dev-settings 1.11.0 - 2.0.4
Depends on vulnerable versions of @microsoft/teamsfx-cli
node_modules/office-addin-dev-settings
office-addin-debugging 4.3.10 - 4.6.7
Depends on vulnerable versions of office-addin-dev-settings
node_modules/office-addin-debugging
@azure/msal-node <=1.14.5
Depends on vulnerable versions of axios
Depends on vulnerable versions of jsonwebtoken
node_modules/@azure/msal-node
@microsoft/teams-manifest <=0.1.3-rc-hotfix.0
Depends on vulnerable versions of axios
node_modules/@microsoft/teams-manifest
@microsoft/teamsfx-api <=0.22.7-rc-hotfix.0
Depends on vulnerable versions of @azure/core-http
Depends on vulnerable versions of @microsoft/teams-manifest
Depends on vulnerable versions of axios
node_modules/@microsoft/teamsfx-api
@microsoft/teamsfx-core <=2.0.6
Depends on vulnerable versions of axios
Depends on vulnerable versions of xml2js
node_modules/@microsoft/teamsfx-core
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix`
node_modules/jsonwebtoken
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix`
node_modules/xml2js
@azure/core-http <=2.3.1 || 3.0.0-alpha.20221110.1 - 3.0.0
Depends on vulnerable versions of xml2js
node_modules/@azure/core-http
ok with some help of Dependabot I have now managed to bump everything up sufficiently.
npm install --save
npm WARN deprecated @azure/msal-node@1.18.4: A newer major version of this library is available. Please upgrade to the latest available version.
added 174 packages, removed 296 packages, changed 19 packages, and audited 1663 packages in 13s
240 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
I guess getting @azure/msal-node
bumped would be good but at least isn't a security (known) issue at this point.
Prerequisites
@microsoft/teams-manifest
"axios": "^0.21.2",
see https://www.npmjs.com/package/@microsoft/teams-manifest?activeTab=codehttps://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Expected behavior
Move to Version 1.6.0
Context
I shared this information with Microsoft Security Response Center but they closed the case with some bullshit bla bla about not having received enough information. Since I could not find a Github repo for
@microsoft/teams-manifest
and this package depends on it, and is also maintained by Microsoft, I am opening the ticket here.However here is my attempt at tagging the NPM maintainers here on Github: @zhyuer, @nintan
Since the security issue is public anyway and any hacker can easily determine vulnerable packages, I guess using a public channel for this isn't making matters worse.