aws-samples / amazon-timestream-simple-visualizer

Timestream Simple Visualizer is a web application that allows you to visualize data from a Amazon Timestream database
Apache License 2.0
24 stars 8 forks source link

Upgrade dependencies - 137 vulnerabilities (124 moderate, 12 high, 1 critical) #20

Closed sethusrinivasan closed 2 years ago

sethusrinivasan commented 2 years ago
C:\github\amazon-timestream-simple-visualizer>npm update
npm WARN deprecated mumath@3.3.4: Redundant dependency in your project.
npm WARN deprecated @material-ui/core@4.11.4: You can now upgrade to @mui/material. See the guide: https://mui.com/guides/migration-v4/

added 435 packages, removed 426 packages, changed 305 packages, and audited 1750 packages in 2m

251 packages are looking for funding
  run `npm fund` for details

8 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

C:\github\amazon-timestream-simple-visualizer>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating react-scripts to 3.0.1,which is a SemVer major change.
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated flatten@1.0.3: flatten is deprecated in favor of utility frameworks such as lodash.
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated eslint-loader@2.1.2: This loader has been deprecated. Please use eslint-webpack-plugin
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated html-webpack-plugin@4.0.0-beta.5: please switch to a stable version
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated babel-eslint@10.0.1: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated mumath@3.3.4: Redundant dependency in your project.
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated core-js@2.6.12: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated @material-ui/core@4.11.4: You can now upgrade to @mui/material. See the guide: https://mui.com/guides/migration-v4/
ansi-html  *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

immer  <=9.0.5
Severity: critical
Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h
Prototype Pollution in immer - https://github.com/advisories/GHSA-9qmh-276g-x5pj
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

node-forge  <1.0.0
Severity: moderate
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

node-notifier  <8.0.1
Severity: moderate
OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix`

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

postcss  <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

react-dev-utils  0.4.0 - 12.0.0-next.60
Severity: high
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of strip-ansi
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

serialize-javascript  <=3.0.0
Severity: high
Insecure serialization leading to RCE in serialize-javascript - https://github.com/advisories/GHSA-hxcc-f52p-wc94
Cross-Site Scripting in serialize-javascript - https://github.com/advisories/GHSA-h9rv-jmmf-4pgx
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

sockjs  <0.3.20
Severity: moderate
Improper Input Validation in SocksJS-Node - https://github.com/advisories/GHSA-c9g6-9335-x697
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

137 vulnerabilities (124 moderate, 12 high, 1 critical)
mirgj commented 2 years ago

Hi @sethusrinivasan , thanks for this issue. Are you sure you're using the latest version? Currently most of the vulnerabilities that you mentioned have been fixed (and these were connected to react-scripts). Indeed if you look at the message it says that would install react-scripts@5.0.0:

fix available via `npm audit fix --force`
Will install react-scripts@5.0.0, which is a breaking change

but that's already what this utility uses: https://github.com/aws-samples/amazon-timestream-simple-visualizer/blob/main/package.json#L33

In the current version there are only the following:

$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Inefficient Regular Expression Complexity in nth-check       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ nth-check                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts [dev]                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo >   │
│               │ css-select > nth-check                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-rp65-9cf3-cjxr            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service in postcss              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ postcss                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.2.13                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts [dev]                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > resolve-url-loader > postcss                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-566m-qj78-rww5            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 moderate severity vulnerabilities in 1851 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

these are also transitive dependencies that are not used directly by this project. We'll monitor the situation as these get fixed by the community we will upgrade as well.

Additionally, these are connected to dev dependencies that are not used in the production build and there are no vulnerabilities in the production dependencies.

$ npm audit --production

                       === npm audit security report ===

found 0 vulnerabilities
 in 154 scanned packages

I'd suggest you to try to delete your node_modules folder and reinstall the dependencies with a npm install.

I'm closing this issue as not relevant for this version, feel free to open it again in case you've the same problem