search

brocoders / nestjs-boilerplate

NestJS boilerplate. Auth, TypeORM, Mongoose, Postgres, MongoDB, Mailing, I18N, Docker.
https://nestjs-boilerplate-test.herokuapp.com/docs
MIT License
3.14k stars 643 forks source link

Deprecated Libraries #1351

Closed Shameel123 closed 6 months ago

Shameel123 commented 9 months ago

Describe the bug It's not exactly a bug, however, when you try to install dependencies, you focus this:

- npm WARN deprecated har-validator@5.1.5: this library is no longer supported

- npm WARN deprecated multer@1.4.4: Multer 1.x is affected by CVE-2022-24434. This is fixed in v1.4.4-lts.1 which drops support for 
- versions of Node.js before 6. Please upgrade to at least Node.js 6 and version 1.4.4-lts.1 of Multer. If you need support for older versions of Node.js, we are open to accepting patches that would fix the CVE on the main 1.x release line, whilst maintaining compatibility with Node.js 0.10.

- npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

- npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

- npm WARN deprecated core-js@2.6.11: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual v

To Reproduce

  1. Clone repository

    git clone --depth 1 https://github.com/brocoders/nestjs-boilerplate.git my-app

  2. Go to folder, and copy env-example-relational as .env.

    cd my-app/
cp env-example-relational .env

  3. Change DATABASE_HOST=postgres to DATABASE_HOST=localhost

    Change MAIL_HOST=maildev to MAIL_HOST=localhost

  4. Run additional container:

    docker compose up -d postgres adminer maildev

  5. Install dependency

    npm install

Expected behavior Should not have critical dependencies issues, especially with CVE.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

matimusss commented 8 months ago

C:\aver\nestjs-boilerplate>npm audit

npm audit report

@babel/traverse <7.23.2 Severity: critical Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92 fix available via npm audit fix node_modules/@babel/traverse

dicer Severity: high Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2 fix available via npm audit fix --force Will install @nestjs/core@7.5.5, which is a breaking change node_modules/dicer busboy <=0.3.1 Depends on vulnerable versions of dicer node_modules/busboy multer <=2.0.0-rc.3 Depends on vulnerable versions of busboy node_modules/@nestjs/platform-express/node_modules/multer node_modules/multer @nestjs/platform-express Depends on vulnerable versions of @nestjs/core Depends on vulnerable versions of multer node_modules/@nestjs/platform-express @nestjs/core >=7.6.0-next.1 Depends on vulnerable versions of @nestjs/platform-express node_modules/@nestjs/core @nestjs/mongoose >=9.2.0 Depends on vulnerable versions of @nestjs/core node_modules/@nestjs/mongoose @nestjs/swagger >=5.0.9 Depends on vulnerable versions of @nestjs/core node_modules/@nestjs/swagger @nestjs/testing >=7.6.0-next.1 Depends on vulnerable versions of @nestjs/core Depends on vulnerable versions of @nestjs/platform-express node_modules/@nestjs/testing @nestjs/typeorm >=8.0.0 Depends on vulnerable versions of @nestjs/core node_modules/@nestjs/typeorm

request Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie fix available via npm audit fix --force Will install twitter@1.1.0, which is a breaking change node_modules/request fb Depends on vulnerable versions of request node_modules/fb twitter >=1.2.0 Depends on vulnerable versions of request node_modules/twitter

semver 6.0.0 - 6.3.0 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via npm audit fix node_modules/@babel/core/node_modules/semver node_modules/@babel/helper-compilation-targets/node_modules/semver node_modules/istanbul-lib-instrument/node_modules/semver

tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 fix available via npm audit fix --force Will install twitter@1.1.0, which is a breaking change node_modules/request/node_modules/tough-cookie

15 vulnerabilities (5 moderate, 9 high, 1 critical)

To address issues that do not require attention, run: npm audit fix

To address all issues possible (including breaking changes), run: npm audit fix --force

Some issues need review, and may require choosing a different dependency.

matimusss commented 8 months ago

after some npm audit fix --force , we get to:

dicer Severity: high Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2 fix available via npm audit fix --force Will install @nestjs/core@7.5.5, which is a breaking change node_modules/dicer busboy <=0.3.1 Depends on vulnerable versions of dicer node_modules/busboy multer <=2.0.0-rc.3 Depends on vulnerable versions of busboy node_modules/@nestjs/platform-express/node_modules/multer node_modules/multer @nestjs/platform-express Depends on vulnerable versions of @nestjs/core Depends on vulnerable versions of multer node_modules/@nestjs/platform-express @nestjs/core >=7.6.0-next.1 Depends on vulnerable versions of @nestjs/platform-express node_modules/@nestjs/core @nestjs/mongoose >=9.2.0 Depends on vulnerable versions of @nestjs/core node_modules/@nestjs/mongoose @nestjs/swagger >=5.0.9 Depends on vulnerable versions of @nestjs/core node_modules/@nestjs/swagger @nestjs/testing >=7.6.0-next.1 Depends on vulnerable versions of @nestjs/core Depends on vulnerable versions of @nestjs/platform-express node_modules/@nestjs/testing @nestjs/typeorm >=8.0.0 Depends on vulnerable versions of @nestjs/core node_modules/@nestjs/typeorm

request Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie No fix available node_modules/request fb Depends on vulnerable versions of request node_modules/fb

tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/tough-cookie

12 vulnerabilities (3 moderate, 9 high)

To address issues that do not require attention, run: npm audit fix

To address all issues possible (including breaking changes), run: npm audit fix --force

Some issues need review, and may require choosing a different dependency.

I think dicer, request and tough-cookie would be the dependencies with security issues. allthough I didnt test the code after doing de audit fix.

matimusss commented 8 months ago

maybe busboy.js or formidable.js could replace it?

Shchepotin commented 6 months ago

These are sub-dependencies. The issue is not relevant.