search

carbon-design-system / carbon

A design system built by IBM
https://www.carbondesignsystem.com
Apache License 2.0
7.83k stars 1.81k forks source link

carbon/telemetry package needs update #9432

Closed leonidio-com closed 3 years ago

leonidio-com commented 3 years ago

Environment

Operating system N/A

Browser N/A

Automated testing tool and ruleset N/A

Assistive technology used to verify N/A

Detailed description

What version of the Carbon Design System are you using? @carbon/telemetry@0.0.0-alpha.6 is 7 months old - dependencies are old and vulnerable

What did you expect to happen? This is our chain of dependencies: @carbon/telemetry@0.0.0-alpha.6 +-- fast-glob@3.2.4 +-- glob-parent@5.1.1 glob-parent@5.1.1 is vulnerable: https://exchange.xforce.ibmcloud.com/vulnerabilities/196451 And there is a fix for it. fast-glob@3.2.4 is updated already. But we can'g get the upgrade because @carbon/telemetry@0.0.0-alpha.6 wasn't is 7 months old according to this web page: https://www.npmjs.com/package/@carbon/telemetry

What happened instead? Are you planning to update @carbon/telemetry package?

What WCAG 2.1 checkpoint does the issue violate? N/A

Steps to reproduce the issue

  1. Step one N/A
  2. Step two
  3. Step three
  4. etc.

Please create a reduced test case in CodeSandbox

Additional information

joshblack commented 3 years ago

Hi there! πŸ‘‹

Thanks for taking the time to make this issue πŸ™ This is one that has popped up several times and we've been trying to keep conversation for it over in: https://github.com/carbon-design-system/carbon/discussions/8587

In general, @carbon/telemetry is a development dependency and these security vulnerabilities can not impact your service in any way. We will do our best to keep the service up-to-date, as well, but I wanted to share that this is a recurring problem that unfortunately keeps popping up.

I felt like this was a good overview of the challenges in particular if you're curious: https://overreacted.io/npm-audit-broken-by-design/

In the meantime, we'll make sure to update the package and potentially figure out other ways to deliver it so that teams won't have to worry about these issues in the future πŸ‘

I'm going to close this for now and we can use that discussion above in the future. Hope this helps and let me know if you have any questions!

Kenzku commented 3 years ago

Hej, @joshblack @leonidio-com

suffer from the same issue; can you please advise, what shall be a non-dev version of @carbon/charts-react@0.41.40

it looks like @carbon/telemetry is used by carbon/charts-react@0.41.40

β”œβ”€β”¬ @carbon/charts-react@0.41.40
β”‚ β”œβ”€β”¬ @carbon/charts@0.41.40
β”‚ β”‚ β”œβ”€β”€ @carbon/colors@10.15.0
β”‚ β”‚ β”œβ”€β”€ @carbon/telemetry@0.0.0-alpha.6 deduped
β”‚ β”‚ β”œβ”€β”€ @carbon/utils-position@1.1.1
β”‚ β”‚ β”œβ”€β”€ date-fns@2.8.1
β”‚ β”‚ β”œβ”€β”€ lodash-es@4.17.15
β”‚ β”‚ └── resize-observer-polyfill@1.5.0
β”‚ └─┬ @carbon/telemetry@0.0.0-alpha.6
β”‚   β”œβ”€β”€ @babel/parser@7.13.9
β”‚   β”œβ”€β”¬ @babel/traverse@7.13.0

I can see the @carbon/telemetry are in the dependency from the update 4 days ago.

Screenshot 2021-08-17 at 20 24 19

Is this place the right place to report carbon/charts-react security issue?

joshblack commented 3 years ago

@Kenzku I think an important thing to note is that the security vulnerabilities being flagged are being reported incorrectly. They cannot modify or change code delivered to a user or ran in a server environment. This article from Dan Abramov highlights this point well: https://overreacted.io/npm-audit-broken-by-design/

On our end, we will try to keep pace and update dependencies but just wanted to reiterate that it cannot impact any code that you serve to users πŸ‘

Kenzku commented 3 years ago

Hej, @joshblack @leonidio-com I think the source of the security scan is coming from IBM X-Force Vulnerability Report:

https://exchange.xforce.ibmcloud.com/vulnerabilities/196451

you can see the dependency chain as followings:

@carbon/charts-react@0.41.90 
   +-- @carbon/telemetry@0.0.0-alpha.6 
       +-- fast-glob@3.2.4
            +-- glob-parent@5.1.1.

The fix we are looking for here is NOT a fix to

modify or change code delivered to a user or ran in a server environment.

but a @carbon/charts-react version update that will include the vulnerable fix.

Just try to understand, are you saying the source from IBM X-Force Vulnerability Report does not apply to carbon/charts-react?

Would you mind clarifying this?

leonidio-com commented 3 years ago

Hey @joshblack could you please give us any tentative delivery dates for the next release of @carbon/telemetry where dependencies will be updated?

daka1510 commented 3 years ago

@joshblack also worked on a security report due to a vulnerable sub-dependency on glob-parent.

npm ls --production glob-parent
...
└─┬ @carbon/icons-react@10.37.0
  └─┬ @carbon/telemetry@0.0.0-alpha.6
    └─┬ fast-glob@3.2.7
      └── glob-parent@5.1.2

Though I understand consumers may not be affected via @carbon/telemetry it certainly creates a lot of noise (as the discussion and questions above show).

Any chance to reuse / reopen this issue to get this addressed either by (1) making @carbon/telemetry a development dependency of @carbon/icons-react or by updating to a version of fast-glob that no longer depends on a vulnerable version of glob-parent?