search

apache / cordova-ios

Apache Cordova iOS
https://cordova.apache.org/
Apache License 2.0
2.15k stars 987 forks source link

npm security audit reports shelljs vulnerability #1219

Closed almercier closed 2 years ago

almercier commented 2 years ago

Bug Report

Problem

What is expected to happen?

Running npm audit should report no vulnerable dependencies used by the latest version of cordova-ios

What does actually happen?

I get an Improper Privilege Management in shelljs warning from cordova-ios dependencies

Information

shelljs  <0.8.5
Severity: moderate
Improper Privilege Management in shelljs - https://github.com/advisories/GHSA-64g7-mvw6-v9qj
fix available via `npm audit fix --force`
Will install cordova-ios@4.0.1, which is a breaking change
node_modules/shelljs
  simctl  >=0.0.2
  Depends on vulnerable versions of shelljs
  node_modules/simctl
    ios-sim  >=4.1.0
    Depends on vulnerable versions of simctl
    node_modules/ios-sim
      cordova-ios  >=4.1.0
      Depends on vulnerable versions of ios-sim
      node_modules/cordova-ios

Interestingly, the audit fix seems to think installing v4.1.0 will fix this issue, which is two major version behind where I am at currently on 6.2.0

Command or Code

npm i cordova-ios@latest npm audit

Environment, Platform, Device

Macbook Pro, 15-inch, 2016

Version information

MacOS 12.1 npm 8.1.2 cordova-ios 6.2.0

Checklist

breautek commented 2 years ago

Shelljs was removed from cordova-ios approximately 2 years and was included in cordova-ios@6.0.0 release via https://github.com/apache/cordova-ios/pull/851

Use npm ls shelljs to determine what packages are depending on ShellJS. You may also want to try nuking your package-lock.json file and node_modules folder and install from a clean slate.

Closing because this isn't a bug with modern versions of cordova-ios. If you need further assistance, feel free to ask our Slack Community.

almercier commented 2 years ago

Did some digging and shellJS is being installed from cordova-ios 6.0.0 as a nested dependency. shellJS has since fixed the patch, but simctl which is depended by ios-sim which is depended by cordova-ios hasn't updated to it yet.

It's frustrating that a clean install of cordova-ios generates npm audit warnings, and it's frustrating that the bug report was immediately dismissed as an invalid local issue when it is immediately replicable on latest albeit not exactly immediately solvable.

I submitted an issue to simctl, but it doesn't seem like an actively maintained project https://github.com/ios-control/simctl/issues/27

almercier commented 2 years ago

@breautek image

NiklasMerz commented 2 years ago

simctl has been updated and the issues should be gone.