search

facebook / jscodeshift

A JavaScript codemod toolkit.
https://jscodeshift.com
MIT License
9.11k stars 468 forks source link

Npm audit throws several vulnerabilities #589

Closed rab1 closed 3 weeks ago

rab1 commented 4 weeks ago

I have installed latest package "jscodeshift": "^0.16.0", and executed npm audit.. it throws 

7 vulnerabilities (3 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

See detailed errors on 

  {
  "auditReportVersion": 2,
  "vulnerabilities": {
    "babel-core": {
      "name": "babel-core",
      "severity": "critical",
      "isDirect": false,
      "via": [
        "babel-helpers",
        "babel-register",
        "babel-template",
        "babel-traverse",
        "json5"
      ],
      "effects": [
        "babel-register",
        "jscodeshift"
      ],
      "range": "5.8.20 - 7.0.0-beta.3",
      "nodes": [
        "node_modules/babel-core"
      ],
      "fixAvailable": {
        "name": "jscodeshift",
        "version": "0.15.2",
        "isSemVerMajor": true
      }
    },
    "babel-helpers": {
      "name": "babel-helpers",
      "severity": "critical",
      "isDirect": false,
      "via": [
        "babel-template"
      ],
      "effects": [],
      "range": "*",
      "nodes": [
        "node_modules/babel-helpers"
      ],
      "fixAvailable": true
    },
    "babel-register": {
      "name": "babel-register",
      "severity": "high",
      "isDirect": false,
      "via": [
        "babel-core"
      ],
      "effects": [
        "babel-core"
      ],
      "range": "*",
      "nodes": [
        "node_modules/babel-register"
      ],
      "fixAvailable": {
        "name": "jscodeshift",
        "version": "0.15.2",
        "isSemVerMajor": true
      }
    },
    "babel-template": {
      "name": "babel-template",
      "severity": "critical",
      "isDirect": false,
      "via": [
        "babel-traverse"
      ],
      "effects": [
        "babel-helpers"
      ],
      "range": "*",
      "nodes": [
        "node_modules/babel-template"
      ],
      "fixAvailable": true
    },
    "babel-traverse": {
      "name": "babel-traverse",
      "severity": "critical",
      "isDirect": false,
      "via": [
        {
          "source": 1096879,
          "name": "babel-traverse",
          "dependency": "babel-traverse",
          "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
          "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
          "severity": "critical",
          "cwe": [
            "CWE-184",
            "CWE-697"
          ],
          "cvss": {
            "score": 9.4,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
          },
          "range": "<7.23.2"
        }
      ],
      "effects": [
        "babel-core",
        "babel-template"
      ],
      "range": "*",
      "nodes": [
        "node_modules/babel-traverse"
      ],
      "fixAvailable": {
        "name": "jscodeshift",
        "version": "0.15.2",
        "isSemVerMajor": true
      }
    },
    "jscodeshift": {
      "name": "jscodeshift",
      "severity": "high",
      "isDirect": true,
      "via": [
        "babel-core"
      ],
      "effects": [],
      "range": "0.3.5 - 0.3.20 || >=0.16.0",
      "nodes": [
        "node_modules/jscodeshift"
      ],
      "fixAvailable": {
        "name": "jscodeshift",
        "version": "0.15.2",
        "isSemVerMajor": true
      }
    },
    "json5": {
      "name": "json5",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1096543,
          "name": "json5",
          "dependency": "json5",
          "title": "Prototype Pollution in JSON5 via Parse Method",
          "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
          "severity": "high",
          "cwe": [
            "CWE-1321"
          ],
          "cvss": {
            "score": 7.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
          },
          "range": "<1.0.2"
        }
      ],
      "effects": [
        "babel-core"
      ],
      "range": "<1.0.2",
      "nodes": [
        "node_modules/babel-core/node_modules/json5"
      ],
      "fixAvailable": {
        "name": "jscodeshift",
        "version": "0.15.2",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 3,
      "critical": 4,
      "total": 7
    },
    "dependencies": {
      "prod": 182,
      "dev": 0,
      "optional": 0,
      "peer": 0,
      "peerOptional": 0,
      "total": 181
    }
  }
}

Any can advise on this ?

Daniel15 commented 3 weeks ago

The risk is very minimal given the fact that the entire point of jscodeshift is to run user-supplied code, but we can bump the dependencies to resolve this issue.

rab1 commented 3 weeks ago

@Daniel15 Could you bump the version and make patch release ?

Daniel15 commented 3 weeks ago

Yes, I'll bump it tomorrow.

Daniel15 commented 3 weeks ago

I figured out what happened. #588 bumped the babel-core dependency from 7.0.0-bridge.0 to 6.26.3, I guess since technically it's newer. This caused the security alerts to fire since all babel versions <7.23.2 have the issue.

The security warning is not a problem for jscodeshift though, since babel-core v6 is not actually used in jscodeshift. The only reference to babel-core instead of @babel/core was in the code that outputs the version when you run jscodeshift --version.

I updated that code to use @babel/core and removed the old babel-core package.

I've published a new package with the babel-core dependency removed as v0.16.1.