Closed JustAnotherGitHubUserYouDontKnow closed 2 years ago
+1
npm audit
is broken
please read: https://overreacted.io/npm-audit-broken-by-design/
That article relates to a node app being used to generate static HTML CSS and JS code - it explicitly is NOT referring to a live node app for which untrusted inputs might make their way to that vulnerable code in normal internet-facing usage.
In the case of this library, it is VERY MUCH used in a permanently online, internet-facing context.
Though the vulnerabilities in these nested dependencies are not likely to be implemented or accessible from their specific uses within this library, that is far from guaranteed. It might not be considered a vulnerability to pass options down the line that affect those calls, only a full review of the code (or a creative hacker) could tell me that. And the only automated tool available to tell me that something vulnerable is known along the chain... is npm audit
In any case, google cloud functions (the context in which my server-side code is used) are loaded more efficiently if consistent, recent and therefore internally-cached versions of libraries are used throughout.
Therefore, the dependency issue in this package not only increases the risk that my app may be compromised by hackers (who are, by definition, creative enough to pursue taking advantage of such deeply nested vulnerabilities), but it literally costs me money right now by increasing the cold-start overhead of each instance.
I see no good reason for this package to continue to load old and vulnerable versions of dependencies that all it's peers have long since left behind.
sure and i agree with that in theory, but in practice nobody would be go that far, because there is no money to be made by exploiting Actions on Google
of course this doesn't mean the package should keep these vulnerable dependencies unfixed
i'd suggest to either stay away from this package and build the json responses yourself or remove package-lock.json
, so that npm always pulls the latest dependency tree
Actions on Google team has a very bad record maintaining their packages (if they don't straight up deprecate them) and are always slow to respond (months slow)
Hey folks thanks for your feedback. I just got back from a vacation and getting these dependencies updated is going to be a top priority of mine.
Good afternoon folks, we've just published v3.0.0 which updates to a minimum of Node 12 and updates dependencies.
Thanks @Fleker, your attention on this is greatly appreciated! 😊
Here's the latest from today, this library alone is bringing 10 high security vulnerabilities into my project. It seems to be very last of the google libraries to update dependencies since their discovery, by a long long way.
C'mon, don't leave our projects vulnerable for so long.