apache / cordova-lib

Apache Cordova Tooling Library
https://cordova.apache.org/
Apache License 2.0
221 stars 243 forks source link

chore: package-lock update #879

Closed breautek closed 3 years ago

breautek commented 3 years ago

Platforms affected

Motivation and Context

Resolves several sub-dependency vulnerabilities

Audit JSON Log ```json { "actions": [ { "isMajor": true, "action": "install", "resolves": [ { "id": 1677, "path": "init-package-json>npm-package-arg>hosted-git-info", "dev": false, "optional": false, "bundled": false }, { "id": 1677, "path": "init-package-json>read-package-json>normalize-package-data>hosted-git-info", "dev": false, "optional": false, "bundled": false } ], "module": "init-package-json", "target": "2.0.5" }, { "action": "update", "resolves": [ { "id": 1556, "path": "codecov>teeny-request>node-fetch", "dev": true, "optional": false, "bundled": false } ], "module": "node-fetch", "target": "2.6.2", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1654, "path": "nyc>yargs>y18n", "dev": true, "optional": false, "bundled": false } ], "module": "y18n", "target": "4.0.3", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1673, "path": "cordova-common>@netflix/nerror>lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1673, "path": "cordova-fetch>cordova-common>@netflix/nerror>lodash", "dev": false, "optional": false, "bundled": false }, { "id": 1673, "path": "cordova-android>cordova-common>@netflix/nerror>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>inquirer>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "rewire>eslint>inquirer>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "rewire>eslint>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "@cordova/eslint-config>eslint>table>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "rewire>eslint>table>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/generator>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-module-imports>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-member-expression-to-functions>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-optimise-call-expression>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/template>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-split-export-declaration>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/types>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>lodash", "dev": true, "optional": false, "bundled": false }, { "id": 1673, "path": "nyc>istanbul-lib-instrument>@babel/core>lodash", "dev": true, "optional": false, "bundled": false } ], "module": "lodash", "target": "4.17.21", "depth": 10 }, { "action": "update", "resolves": [ { "id": 1674, "path": "cordova-common>underscore", "dev": false, "optional": false, "bundled": false }, { "id": 1674, "path": "cordova-fetch>cordova-common>underscore", "dev": false, "optional": false, "bundled": false }, { "id": 1674, "path": "cordova-android>cordova-common>underscore", "dev": true, "optional": false, "bundled": false } ], "module": "underscore", "target": "1.13.1", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1677, "path": "cordova-fetch>npm-package-arg>hosted-git-info", "dev": false, "optional": false, "bundled": false } ], "module": "hosted-git-info", "target": "3.0.8", "depth": 3 }, { "action": "update", "resolves": [ { "id": 1751, "path": "cordova-common>fast-glob>glob-parent", "dev": false, "optional": false, "bundled": false }, { "id": 1751, "path": "cordova-fetch>cordova-common>fast-glob>glob-parent", "dev": false, "optional": false, "bundled": false }, { "id": 1751, "path": "cordova-android>cordova-common>fast-glob>glob-parent", "dev": true, "optional": false, "bundled": false }, { "id": 1751, "path": "globby>fast-glob>glob-parent", "dev": false, "optional": false, "bundled": false }, { "id": 1751, "path": "@cordova/eslint-config>eslint>glob-parent", "dev": true, "optional": false, "bundled": false }, { "id": 1751, "path": "rewire>eslint>glob-parent", "dev": true, "optional": false, "bundled": false } ], "module": "glob-parent", "target": "5.1.2", "depth": 4 }, { "action": "update", "resolves": [ { "id": 1773, "path": "cordova-fetch>resolve>path-parse", "dev": false, "optional": false, "bundled": false }, { "id": 1773, "path": "init-package-json>read-package-json>normalize-package-data>resolve>path-parse", "dev": false, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse", "dev": true, "optional": false, "bundled": false }, { "id": 1773, "path": "nyc>istanbul-lib-instrument>@babel/core>resolve>path-parse", "dev": true, "optional": false, "bundled": false } ], "module": "path-parse", "target": "1.0.7", "depth": 7 }, { "action": "review", "module": "xmldom", "resolves": [ { "id": 1650, "path": "cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1650, "path": "cordova-fetch>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1650, "path": "cordova-android>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1769, "path": "cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1769, "path": "cordova-fetch>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false }, { "id": 1769, "path": "cordova-android>cordova-common>plist>xmldom", "dev": false, "bundled": false, "optional": false } ] }, { "action": "review", "module": "hosted-git-info", "resolves": [ { "id": 1677, "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info", "dev": true, "optional": false, "bundled": false } ] } ], "advisories": { "1556": { "findings": [ { "version": "2.6.0", "paths": [ "codecov>teeny-request>node-fetch" ] } ], "id": 1556, "created": "2020-09-10T17:55:53.926Z", "updated": "2020-09-10T17:55:53.926Z", "deleted": null, "title": "Denial of Service", "found_by": { "link": "", "name": "Unknown", "email": "" }, "reported_by": { "link": "", "name": "Unknown", "email": "" }, "module_name": "node-fetch", "cves": [ "CVE-2020-15168" ], "vulnerable_versions": "< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9", "patched_versions": ">=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9", "overview": "Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.\n\nFor most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.", "recommendation": "Upgrade to version 2.6.1 or 3.0.0-beta.9", "references": "- https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r", "access": "public", "severity": "low", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 3, "affected_components": "" }, "url": "https://npmjs.com/advisories/1556" }, "1650": { "findings": [ { "version": "0.1.31", "paths": [ "cordova-common>plist>xmldom", "cordova-fetch>cordova-common>plist>xmldom", "cordova-android>cordova-common>plist>xmldom" ] } ], "id": 1650, "created": "2021-03-12T22:42:38.486Z", "updated": "2021-03-12T22:42:38.486Z", "deleted": null, "title": "Misinterpretation of malicious XML input", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "xmldom", "cves": [ "CVE-2021-21366" ], "vulnerable_versions": "<0.5.0", "patched_versions": ">=0.5.0", "overview": "### Impact\n\n`xmldom` versions 0.4.0 and older do not correctly preserve [system identifiers](https://www.w3.org/TR/2008/REC-xml-20081126/#d0e4313), [FPIs](https://en.wikipedia.org/wiki/Formal_Public_Identifier) or [namespaces](https://www.w3.org/TR/xml-names11/) when repeatedly parsing and serializing maliciously crafted documents.\n\nThis may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.", "recommendation": "Update to 0.5.0 or later", "references": "- [GitHub Security Advisory](https://github.com/advisories/GHSA-h6q6-9hqw-rwfv)\n- [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21366)\n- [Similar advisory for Go standard library](https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/)", "access": "public", "severity": "low", "cwe": "CWE-115", "metadata": { "module_type": "", "exploitability": 3, "affected_components": "" }, "url": "https://npmjs.com/advisories/1650" }, "1654": { "findings": [ { "version": "4.0.0", "paths": [ "nyc>yargs>y18n" ] } ], "id": 1654, "created": "2021-03-12T23:16:43.813Z", "updated": "2021-03-29T16:07:59.314Z", "deleted": null, "title": "Prototype Pollution", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "y18n", "cves": [ "CVE-2020-7774" ], "vulnerable_versions": "<3.2.2||=4.0.0||>=5.0.0 <5.0.5", "patched_versions": ">=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0", "overview": "`y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.\n\n## POC\n\n```\nconst y18n = require('y18n')();\n \ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); // true\n```", "recommendation": "Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-7774)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-Y18N-1021887)", "access": "public", "severity": "high", "cwe": "CWE-1321", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1654" }, "1673": { "findings": [ { "version": "4.17.19", "paths": [ "cordova-common>@netflix/nerror>lodash", "cordova-fetch>cordova-common>@netflix/nerror>lodash", "cordova-android>cordova-common>@netflix/nerror>lodash", "@cordova/eslint-config>eslint>inquirer>lodash", "rewire>eslint>inquirer>lodash", "@cordova/eslint-config>eslint>lodash", "rewire>eslint>lodash", "@cordova/eslint-config>eslint>table>lodash", "rewire>eslint>table>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/generator>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-module-imports>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-member-expression-to-functions>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-optimise-call-expression>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/template>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-split-export-declaration>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/types>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>lodash", "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>lodash", "nyc>istanbul-lib-instrument>@babel/core>lodash" ] } ], "id": 1673, "created": "2021-05-06T16:14:39.514Z", "updated": "2021-05-06T16:24:12.299Z", "deleted": null, "title": "Command Injection", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "lodash", "cves": [ "CVE-2021-23337" ], "vulnerable_versions": "<4.17.21", "patched_versions": ">=4.17.21", "overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "recommendation": "Upgrade to version 4.17.21 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)\n- [GitHub Advisory](https://github.com/advisories/GHSA-35jh-r3h4-6jhm)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-LODASH-1040724)", "access": "public", "severity": "high", "cwe": "CWE-77", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1673" }, "1674": { "findings": [ { "version": "1.10.2", "paths": [ "cordova-common>underscore", "cordova-fetch>cordova-common>underscore", "cordova-android>cordova-common>underscore" ] } ], "id": 1674, "created": "2021-05-06T16:14:45.792Z", "updated": "2021-05-06T16:26:42.768Z", "deleted": null, "title": "Arbitrary Code Execution", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "underscore", "cves": [ "CVE-2021-23358" ], "vulnerable_versions": ">=1.3.2 <1.12.1", "patched_versions": ">=1.12.1", "overview": "The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", "recommendation": "Upgrade to versions 1.12.1 or 1.13.0-2 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23358)\n- [GitHub Advisory](https://github.com/advisories/GHSA-cf4h-3jhx-xvhq)\n", "access": "public", "severity": "high", "cwe": "CWE-94", "metadata": { "module_type": "", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/1674" }, "1677": { "findings": [ { "version": "3.0.5", "paths": [ "cordova-fetch>npm-package-arg>hosted-git-info" ] }, { "version": "2.8.8", "paths": [ "init-package-json>npm-package-arg>hosted-git-info" ] }, { "version": "2.8.8", "paths": [ "init-package-json>read-package-json>normalize-package-data>hosted-git-info", "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info" ] } ], "id": 1677, "created": "2021-05-06T16:15:08.412Z", "updated": "2021-05-07T17:41:14.327Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "hosted-git-info", "cves": [ "CVE-2021-23362" ], "vulnerable_versions": "<2.8.9 || >=3.0.0 <3.0.8", "patched_versions": ">=2.8.9 <3.0.0 || >=3.0.8", "overview": "`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity", "recommendation": "Upgrade to version 3.0.8 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1677" }, "1751": { "findings": [ { "version": "5.1.1", "paths": [ "cordova-common>fast-glob>glob-parent", "cordova-fetch>cordova-common>fast-glob>glob-parent", "cordova-android>cordova-common>fast-glob>glob-parent", "globby>fast-glob>glob-parent", "@cordova/eslint-config>eslint>glob-parent", "rewire>eslint>glob-parent" ] } ], "id": 1751, "created": "2021-06-07T21:57:10.135Z", "updated": "2021-06-07T21:58:07.745Z", "deleted": null, "title": "Regular expression denial of service", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "glob-parent", "cves": [ "CVE-2020-28469" ], "vulnerable_versions": "<5.1.2", "patched_versions": ">=5.1.2", "overview": "`glob-parent` before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.", "recommendation": "Upgrade to version 5.1.2 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-28469)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww39-953v-wcq6)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1751" }, "1769": { "findings": [ { "version": "0.1.31", "paths": [ "cordova-common>plist>xmldom", "cordova-fetch>cordova-common>plist>xmldom", "cordova-android>cordova-common>plist>xmldom" ] } ], "id": 1769, "created": "2021-08-03T16:57:27.020Z", "updated": "2021-08-03T16:57:57.748Z", "deleted": null, "title": "Misinterpretation of malicious XML input", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "xmldom", "cves": [ "CVE-2021-32796" ], "vulnerable_versions": "<0.7.0", "patched_versions": ">=0.7.0", "overview": "### Impact\nxmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Patches\nUpdate to 0.7.0\n(see issue #271 for the status of publishing the version to npm or join for Q&A/discussion #270 until it's resolved)\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [`xmldom/xmldom`](https://github.com/xmldom/xmldom)\n* Email us: send an email to **all** addresses that are shown by `npm owner ls xmldom`\n", "recommendation": "Upgrade to version 0.7.0 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32796)\n- [GitHub Advisory](https://github.com/advisories/GHSA-5fg8-2547-mr8q)\n", "access": "public", "severity": "moderate", "cwe": "CWE-116", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1769" }, "1773": { "findings": [ { "version": "1.0.6", "paths": [ "cordova-fetch>resolve>path-parse", "init-package-json>read-package-json>normalize-package-data>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse", "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse", "nyc>istanbul-lib-instrument>@babel/core>resolve>path-parse" ] } ], "id": 1773, "created": "2021-08-10T15:59:47.884Z", "updated": "2021-08-10T16:00:43.559Z", "deleted": null, "title": "Regular Expression Denial of Service in path-parse", "found_by": { "link": "", "name": "Anonymous", "email": "" }, "reported_by": { "link": "", "name": "Anonymous", "email": "" }, "module_name": "path-parse", "cves": [ "CVE-2021-23343" ], "vulnerable_versions": "<1.0.7", "patched_versions": ">=1.0.7", "overview": "Affected versions of `path-parse` are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", "recommendation": "Upgrade to version 1.0.7 or later", "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23343)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hj48-42vr-x3v9)\n", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/1773" } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 4, "moderate": 20, "high": 50, "critical": 0 }, "dependencies": 196, "devDependencies": 310, "optionalDependencies": 0, "totalDependencies": 506 }, "runId": "24f0391a-5957-4d0e-b2b1-e4fde692a0df" } ```

Description

Testing

Checklist

codecov-commenter commented 3 years ago

Codecov Report

Merging #879 (96309ed) into master (dd872f0) will not change coverage. The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #879   +/-   ##
=======================================
  Coverage   91.13%   91.13%           
=======================================
  Files          45       45           
  Lines        2053     2053           
=======================================
  Hits         1871     1871           
  Misses        182      182           

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update dd872f0...96309ed. Read the comment docs.

dpogue commented 3 years ago

Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.

Will the older npm versions on older node versions on GHA properly handle the updated lockfile format?

breautek commented 3 years ago

I just checked package.json again and found out all URLs point to a totalpave registry: https://registry.totalpave.com

@breautek Please rebuild package-lock.json again with the NPM registry setup.

Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.

Argh! Oops!

That's work stuff bleeding in... ill fix it when i get home

breautek commented 3 years ago

Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.

Will the older npm versions on older node versions on GHA properly handle the updated lockfile format?

Npm will still work with a message that "it will try its best".

But not really sure what that means exactly.

breautek commented 3 years ago

@NiklasMerz do you think there would be pushback if we start adding .npmrc configs to our cordova repos to re-assert npm registry is npms official registry?

Would avoid mistakes like this in the future by having a project level npm config.

breautek commented 3 years ago

Set my registry back to registry.npmjs.org and regenerated the package-lock. This PR is rebased for the correction.

purplecabbage commented 3 years ago

Mostly we should not be committing package-lock, except for the cli itself ... am I missing something?

breautek commented 3 years ago

Package-lock is intended to be committed, as it ensures that two developers on two different machines will install the exact same dependencies when they run npm install.

Not to be confused when users are using this package as a library, in which case their root package-lock is used.

From NPM: https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json

This file is intended to be committed into source repositories, and serves various purposes:

Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.

Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.

Facilitate greater visibility of tree changes through readable source control diffs.

Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.

As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements.

purplecabbage commented 3 years ago

This sums up what I think ... Apps yes, libs no

https://github.com/sindresorhus/ama/issues/479#issuecomment-310661514

breautek commented 3 years ago

There was a consensus back in 2018 via https://github.com/apache/cordova/issues/4#issuecomment-420728477 to add package-locks, which is why variety of our packages have package-locks.

If you ask my personal opinion on package-locks, I hate them, mostly for the reasons described by sindresorhus.

However, not committing them still presents the same issues described by sindresorhus, unless we (the maintainers) are constantly wiping the package-lock & node_modules and reinstalling from scratch. We could configure NPM via .npmrc to disable package locks so they won't be generated in the first place but this also have a few consequences:

  1. node_modules are not automatically pruned if package-locks are disabled. They can be manually pruned via npm prune.
  2. NPM installs will be slower (however not sure how significant since most cordova repos are fairly small anyway)
  3. npm ci command requires package-lock or shrinkwrap, so CI workflows may have to be updated accordingly to use npm install instead.
  4. npm audit I believe also requires package-lock or shrinkwrap

Despite it's flaws I think the benefits of package-lock still outweighs the consequences of not committing/disabling package-lock.

purplecabbage commented 3 years ago

Okay, yeah that makes sense. Let's commit 'em