search

SAFE-Stack / SAFE-template

dotnet CLI template for SAFE project
MIT License
283 stars 87 forks source link

the `remotedev` dependency has a security vulnerability #602

Closed kurt-mueller-osumc closed 6 months ago

kurt-mueller-osumc commented 6 months ago

In the root of your safe stack application, run npm audit fix:

$ npm audit fix

up to date, audited 235 packages in 552ms

38 packages are looking for funding
  run `npm fund` for details

# npm audit report

ws  2.0.0 - 3.3.0
Severity: high
Denial of Service in ws - https://github.com/advisories/GHSA-5v72-xg48-5rpm
fix available via `npm audit fix`
node_modules/ws
  socketcluster-client  0.9.3 - 0.9.9 || 5.5.0 - 9.0.2
  Depends on vulnerable versions of ws
  node_modules/socketcluster-client

2 high severity vulnerabilities

To address all issues, run:
  npm audit fix

socketcluster-client is a dependency of remotedev, which is listed in package.json

Unfortunately, remotedev hasn't been updated in a few years.

kurt-mueller-osumc commented 6 months ago

The yarn audit command also provides insight:

$ yarn audit
yarn audit v1.22.22
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ ReDoS in Sec-Websocket-Protocol header                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ws                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ remotedev                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ remotedev > socketcluster-client > ws                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1090475                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 280
Severity: 1 Moderate
Done in 0.59s
Larocceau commented 6 months ago

@theimowski I see you added remoteDev to the template. Is this something you actually use? It does not seem to be maintained, So I think we should just drop the dependency

mattgallagher92 commented 6 months ago

Thanks for the heads up @kurt-mueller-osumc!

kurt-mueller-osumc commented 6 months ago

No problem! Thank you for maintaining an excellent product :).

MangelMaxime commented 6 months ago

I see you added remoteDev to the template. Is this something you actually use? It does not seem to be maintained, So I think we should just drop the dependency

Well, the tool still work as of today just with a warning. It is still quite useful for exploring your application state / diff, from time to time.

And this is a dev tool, so the security issue is not exposed to the production application and only happens on your machine while in dev mode.

jwthomson commented 6 months ago

@MangelMaxime good point - Rather than roll this change back, I've created an issue in the docs repo. We can write some info on how to add remotedev in cases where it would be helpful to have more in-depth debugging capabilities, and that way people who are not using it won't be troubled with an unecessary warning.