search

cifkao / html-midi-player

🎹 Play and display MIDI files on the web
https://cifkao.github.io/html-midi-player/
BSD 2-Clause "Simplified" License
663 stars 60 forks source link

Update NPM packages to fix Prototype Pollution vulnerability #82

Open Cheezer1656 opened 5 months ago

Cheezer1656 commented 5 months ago 
# npm audit report

minimist  <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
  quote-stream  <=1.0.0
  Depends on vulnerable versions of minimist
  node_modules/quote-stream

static-eval  <=2.0.1
Severity: high
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-x9hc-rw35-f44h
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-5mjw-6jrh-hvfq
fix available via `npm audit fix --force`
Will install @magenta/music@1.1.13, which is a breaking change
node_modules/static-eval
  static-module  <=1.5.0
  Depends on vulnerable versions of quote-stream
  Depends on vulnerable versions of static-eval
  node_modules/static-module
    cwise  >=1.0.0
    Depends on vulnerable versions of static-module
    node_modules/cwise
      ndarray-fft  >=1.0.0
      Depends on vulnerable versions of cwise
      node_modules/ndarray-fft
      ndarray-resample  *
      Depends on vulnerable versions of cwise
      Depends on vulnerable versions of ndarray-fft
      node_modules/ndarray-resample
        @magenta/music  >=1.1.14
        Depends on vulnerable versions of ndarray-resample
        node_modules/@magenta/music

8 vulnerabilities (6 moderate, 1 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
cifkao commented 4 months ago

Thanks for reporting this! However I don't think this can be solved just by updating packages. The latest version of cwise still depends on the vulnerable version of static-eval through static-module. Updating static-eval would create a dependency conflict. (Indeed, npm audit fix doesn't fix anything, and npm audit fix --force gives me an error.)

So I think this would have to be fixed in cwise by making it depend on a more recent version of static-module that doesn't have the vulnerability.