npm audit security vulnerability in node-forge

[mrlukasbos]

Npm audit indicates a vulnerability in the node-forge dependency.

 === npm audit security report ===                        
│ High          │ Prototype Pollution in node-forge                            │
│ Package       │ node-forge                                                   │
│ Patched in    │ >= 0.10.0                                                    │
│ Dependency of │ actions-on-google                                            │
│ Path          │ actions-on-google > googleapis > googleapis-common >         │
│               │ google-auth-library > gtoken > google-p12-pem > node-forge   │
│ More info     │ https://npmjs.com/advisories/1561    

[Fleker]

Thanks. Seems like the issue is due to some slightly older dependencies.

[bayerlse]

Hey @Fleker, will this be fixed soon?

[xam-ps]

Hi there, any update on this? Five high security issues right know. Would love to get rid of them in my project. @Fleker Are you maintaining?

[tommybluhm]

Is there any update on this? Please fix the security issues!

[ghost]

Is this the right library to use? It is being maintained at all? Now 9 high security vulnerabilities:

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/axios
  gcp-metadata  0.5.0 - 0.9.0
  Depends on vulnerable versions of axios
  node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of axios
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/google-auth-library
    node_modules/googleapis-common/node_modules/google-auth-library
    node_modules/googleapis/node_modules/google-auth-library
      actions-on-google  >=1.8.0
      Depends on vulnerable versions of google-auth-library
      Depends on vulnerable versions of googleapis
      node_modules/actions-on-google
      googleapis  3.0.0 - 48.0.0
      Depends on vulnerable versions of google-auth-library
      Depends on vulnerable versions of googleapis-common
      node_modules/googleapis
      googleapis-common  <=3.2.2
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis-common

node-forge  <=0.9.2
Severity: high
Prototype Pollution in node-forge - https://npmjs.com/advisories/1561
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.0.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
      google-auth-library  0.9.4 - 5.10.1
      Depends on vulnerable versions of axios
      Depends on vulnerable versions of gcp-metadata
      Depends on vulnerable versions of gtoken
      node_modules/google-auth-library
      node_modules/googleapis-common/node_modules/google-auth-library
      node_modules/googleapis/node_modules/google-auth-library
        actions-on-google  >=1.8.0
        Depends on vulnerable versions of google-auth-library
        Depends on vulnerable versions of googleapis
        node_modules/actions-on-google
        googleapis  3.0.0 - 48.0.0
        Depends on vulnerable versions of google-auth-library
        Depends on vulnerable versions of googleapis-common
        node_modules/googleapis
        googleapis-common  <=3.2.2
        Depends on vulnerable versions of google-auth-library
        node_modules/googleapis-common

9 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[rtrompier]

Hi there, Any news about that ?

[Fleker]

@proppy can you chime in

[ghost]

@Fleker @rtrompier @tommybluhm I just found out that this library is abandonware and unmaintained. Looks like it's been superseded by https://github.com/actions-on-google/assistant-conversation-nodejs which is regularly updated and installs without warnings. I wish the README would mention this in bold at the top - the Google documentation is incredibly unhelpful, has many broken links and doesn't really indicate that this library is obsolete.

Looks like the fundamentals are the same, just some name changes, so "intent" becomes "handle", "ask" becomes "add" etc.

The old 'actions-on-google' way:

const {dialogflow} = require('actions-on-google')

const app = dialogflow()

app.intent('Default Welcome Intent', conv => {
  conv.ask('Hi, how is it going?')
})

The new 'google assistant' way:

const {conversation} = require('@assistant/conversation')

const app = conversation()

app.handle('Default Welcome Intent', conv => {
  conv.add('Hi, how is it going?')
})

[proppy]

@digitaltoast https://github.com/actions-on-google/assistant-conversation-nodejs is used for conversation action using Action Builder with the new Action SDK, while this repository is still relevant for Smart Home actions.

Looks like the vulnerability in this repository would require a major version upgrade for the google-auth-library:

-    "google-auth-library": "^1.6.1",
+    "google-auth-library": "^7.0.4",

while would in turn transitively change the node engine requirements from:

  "engines": {
    "node": ">=6.13.0"
  },

to:

  "engines": {
    "node": ">=10"
  },

This seems like a reasonable change to me since both Node.js 6 and 8 are not actively supported anymore by the Node.js project: https://nodejs.org/en/about/releases/, but would require a major version bump of the library itself.

[Fleker]

Good afternoon folks, we've just published v3.0.0 which updates to a minimum of Node 12 and updates dependencies.