search

artilleryio / artillery

The complete load testing platform. Everything you need for production-grade load tests. Serverless & distributed. Load test with Playwright. Load test HTTP APIs, GraphQL, WebSocket, and more. Use any Node.js module.
https://www.artillery.io
Mozilla Public License 2.0
7.95k stars 507 forks source link

npm audit fix downgrades to 2.0.0-dev9 #1784

Open tsondergaard opened 1 year ago

tsondergaard commented 1 year ago

Version info: 

2.0.0-28

Steps to reproduce:

mkdir example
cd example
npm init --force
npm install --save artillery
npx artillery version
npm audit fix
npx artillery version

Shell session running the commands above with some long irrelevant output replaced with ...:

$ mkdir example
$ cd example
$ npm init --force
...
...
$ npm install --save artillery
...
...
7 vulnerabilities (4 moderate, 2 high, 1 critical)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

$ npx artillery version
...
...
VERSION INFO:

Artillery: 2.0.0-28
Node.js:   v18.1.0
OS:        linux

$ npm audit fix
npm WARN audit fix minimatch@3.0.4 node_modules/tap/node_modules/minimatch
npm WARN audit fix minimatch@3.0.4 is a bundled dependency of
npm WARN audit fix minimatch@3.0.4 tap@15.2.3 at node_modules/tap
npm WARN audit fix minimatch@3.0.4 It cannot be fixed automatically.
npm WARN audit fix minimatch@3.0.4 Check for updates to the tap package.
npm WARN audit fix json5@2.2.0 node_modules/tap/node_modules/json5
npm WARN audit fix json5@2.2.0 is a bundled dependency of
npm WARN audit fix json5@2.2.0 tap@15.2.3 at node_modules/tap
npm WARN audit fix json5@2.2.0 It cannot be fixed automatically.
npm WARN audit fix json5@2.2.0 Check for updates to the tap package.
npm WARN audit fix minimist@1.2.5 node_modules/tap/node_modules/minimist
npm WARN audit fix minimist@1.2.5 is a bundled dependency of
npm WARN audit fix minimist@1.2.5 tap@15.2.3 at node_modules/tap
npm WARN audit fix minimist@1.2.5 It cannot be fixed automatically.
npm WARN audit fix minimist@1.2.5 Check for updates to the tap package.
npm WARN deprecated natives@1.1.6: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.
npm WARN deprecated flatten@1.0.3: flatten is deprecated in favor of utility frameworks such as lodash.
npm WARN deprecated sprintf@0.1.5: The sprintf package is deprecated in favor of sprintf-js.
npm WARN deprecated uuid@2.0.3: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated artillery@2.0.0-dev9: This version of Artillery is outdated, please upgrade to a more recent one.

added 446 packages, removed 754 packages, changed 41 packages, and audited 817 packages in 10s

110 packages are looking for funding
  run `npm fund` for details

# npm audit report

dot-prop  <4.2.1
Severity: high
dot-prop Prototype Pollution vulnerability - https://github.com/advisories/GHSA-ff7x-qrg7-qggm
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/utils-is-little-endian/node_modules/dot-prop
  configstore  2.0.0 - 2.1.0 || 3.1.3
  Depends on vulnerable versions of dot-prop
  node_modules/utils-is-little-endian/node_modules/configstore
    update-notifier  0.2.0 - 5.1.0
    Depends on vulnerable versions of configstore
    Depends on vulnerable versions of latest-version
    node_modules/artillery-pro/node_modules/update-notifier
    node_modules/ava/node_modules/update-notifier
    node_modules/update-notifier
    node_modules/utils-is-little-endian/node_modules/update-notifier
      artillery  >=1.5.7-0
      Depends on vulnerable versions of artillery-pro
      Depends on vulnerable versions of ava
      Depends on vulnerable versions of update-notifier
      node_modules/artillery
      ava  0.1.0 - 4.0.0-rc.1
      Depends on vulnerable versions of update-notifier
      node_modules/ava

ejs  <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/ejs
  artillery-pro  *
  Depends on vulnerable versions of cfn
  Depends on vulnerable versions of ejs
  Depends on vulnerable versions of jsonwebtoken
  Depends on vulnerable versions of update-notifier
  node_modules/artillery-pro

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/artillery-pro/node_modules/package-json/node_modules/got
node_modules/package-json/node_modules/got
node_modules/utils-is-little-endian/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/artillery-pro/node_modules/package-json
  node_modules/package-json
  node_modules/utils-is-little-endian/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/artillery-pro/node_modules/latest-version
    node_modules/latest-version
    node_modules/utils-is-little-endian/node_modules/latest-version

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
fix available via `npm audit fix`
node_modules/jsonwebtoken

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow
    cfn  >=1.6.0
    Depends on vulnerable versions of meow
    node_modules/cfn

14 vulnerabilities (4 moderate, 7 high, 3 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
$ npx artillery version

ARTILLERY DEV PREVIEW 🚀
Please report bugs on https://github.com/artilleryio/artillery/issues

artillery/2.0.0-dev9 linux-x64 node-v18.1.0

I expected to see this happen: I expected npm audit fix to fix the problems.

Instead, this happened:

npm audit fix downgraded from from 2.0.0-28 to 2.0.0-dev9 which just has other/more issues. It seems to me that there is something screwed up with the version numbers since npm audit fix considers it valid to move from 2.0.0-28 to 2.0.0-dev9.

bemanuel-trove commented 1 year ago

Seeing the same. Also, the critical vulnerability is probably an even bigger issue. @hassy

hassy commented 1 year ago

Thank you for the report! Can confirm, I'm able to reproduce it. We'll need to look into it. The behavior is odd as2.0.0-dev9 was never tagged as a latest release and has been deprecated, but for some reason npm audit fix must see it as the most recent version that satisfies some advisory in v2.0.0-28.

bemanuel-trove commented 1 year ago

Thanks, @hassy! Any ideas on the critical vulnerabilities? Would you like me to create a separate issue for that?

tsondergaard commented 1 year ago

Still an issue with 2.0.0-33.

hassy commented 1 year ago

We've upgraded a bunch of dependencies recently (e.g. see #1971 and #1933). There are still a couple of dependencies that seem to be causing this issue, we're looking into it!

carlasuarez commented 1 year ago

Is there any update on this issue?

tsondergaard commented 11 months ago

Still an issue with 2.0.0-38.

I want to be able to run npm audit fix on my project. I have opened a support case with npm support to see if they can do something in the registry to prevent downgrades to that old 2.0.0-dev9 version of artillery. If they report back with suggestions for something the artillery project needs to do I will add the information here.

tsondergaard commented 11 months ago

@hassy would you consider trying to unpublish or deprecate 2.0.0-dev9, possibly all 2.0.0-devX packages and see if that fixes the "npm audit fix" issue downgrading to old packages?

tsondergaard commented 11 months ago

Ah, I see it is already deprecated.