haroldtreen / epub-press

📚 Web service for creating ebooks from collections of websites.
https://epub.press
GNU General Public License v3.0
327 stars 59 forks source link

Vulnerability in dependency (underscore) #76

Open muello opened 3 years ago

muello commented 3 years ago

Hello there,

Current Behavior

When installed via npm, epub-press dependends on a package version with a known vulnerability.

Expected Behavior

Epub-press can be installed without known vulnerabilities.

Steps to reproduce

$ npm install reveals various vulnerabilities, which I fix via $ npm audit fix --force which, however, still reports:

npm audit report

underscore  1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution - https://npmjs.com/advisories/1674
No fix available
node_modules/underscore
  nodepub  <=2.0.7
  Depends on vulnerable versions of underscore
  node_modules/nodepub

Unfortunately $ npm update underscore leaves underscore as it is because nodepub is apparently limiting it to ver 1.8.x:


$ npm explain underscore
underscore@1.8.3
node_modules/underscore
  underscore@"1.8.x" from nodepub@2.1.0
  node_modules/nodepub
    nodepub@"github:haroldtreen/nodepub" from the root project
  underscore@"^1.7.0" from pg-hstore@2.3.3
  node_modules/pg-hstore
    pg-hstore@"^2.3.3" from the root project```
sanujar commented 2 years ago

Ran npm audit on epub-press today, and this is what I got:

55 vulnerabilities (41 moderate, 13 high, 1 critical).

A lot of RCE/injection vulnerabilities in there, with the 1 critical being this from Nodemailer:

Severity: critical
Command injection in nodemailer - https://github.com/advisories/GHSA-48ww-j4fc-435p
Depends on vulnerable versions of nodemailer-smtp-transport
fix available via `npm audit fix --force`
Will install nodemailer@6.7.2, which is a breaking change
node_modules/nodemailer

A lot of these recommended fixes appear to be breaking changes compared to what the modules are currently locked at, so this will probably be a significant project and involve lots of breaking.

Full output

``` # npm audit report ansi-regex >2.1.1 <5.0.1 Severity: moderate Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw fix available via `npm audit fix --force` Will install eslint@8.4.0, which is a breaking change node_modules/@jest/globals/node_modules/ansi-regex node_modules/eslint/node_modules/ansi-regex node_modules/inquirer/node_modules/ansi-regex node_modules/jest/node_modules/ansi-regex node_modules/prettier-eslint-cli/node_modules/ansi-regex node_modules/prettier-eslint-cli/node_modules/strip-ansi/node_modules/ansi-regex node_modules/prettier-eslint/node_modules/ansi-regex node_modules/prettier-eslint/node_modules/strip-ansi/node_modules/ansi-regex node_modules/pretty-format/node_modules/ansi-regex node_modules/string-length/node_modules/ansi-regex node_modules/string-width/node_modules/ansi-regex node_modules/table/node_modules/ansi-regex node_modules/wrap-ansi/node_modules/ansi-regex node_modules/yargs/node_modules/ansi-regex pretty-format 20.1.0-alpha.1 - 25.0.0 Depends on vulnerable versions of ansi-regex node_modules/pretty-format prettier-eslint >=6.4.3 Depends on vulnerable versions of eslint Depends on vulnerable versions of pretty-format node_modules/prettier-eslint prettier-eslint-cli >=4.2.2 Depends on vulnerable versions of eslint Depends on vulnerable versions of prettier-eslint Depends on vulnerable versions of yargs node_modules/prettier-eslint-cli strip-ansi 4.0.0 - 5.2.0 Depends on vulnerable versions of ansi-regex node_modules/eslint/node_modules/strip-ansi node_modules/prettier-eslint-cli/node_modules/inquirer/node_modules/strip-ansi node_modules/prettier-eslint-cli/node_modules/strip-ansi node_modules/prettier-eslint/node_modules/inquirer/node_modules/strip-ansi node_modules/prettier-eslint/node_modules/strip-ansi node_modules/string-length/node_modules/strip-ansi node_modules/string-width/node_modules/strip-ansi node_modules/table/node_modules/strip-ansi node_modules/yargs/node_modules/strip-ansi cliui 4.0.0 - 5.0.0 Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of wrap-ansi node_modules/yargs/node_modules/cliui yargs 10.1.0 - 15.0.0 Depends on vulnerable versions of cliui Depends on vulnerable versions of string-width node_modules/yargs sequelize-cli 5.0.1 - 6.2.0 Depends on vulnerable versions of yargs node_modules/sequelize-cli eslint 4.5.0 - 7.15.0 Depends on vulnerable versions of inquirer Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of table node_modules/eslint node_modules/prettier-eslint-cli/node_modules/eslint node_modules/prettier-eslint/node_modules/eslint inquirer 3.2.0 - 7.0.4 Depends on vulnerable versions of string-width Depends on vulnerable versions of strip-ansi node_modules/prettier-eslint-cli/node_modules/inquirer node_modules/prettier-eslint/node_modules/inquirer string-length 2.0.0 - 3.1.0 Depends on vulnerable versions of strip-ansi node_modules/string-length @jest/reporters <=26.4.0 Depends on vulnerable versions of node-notifier Depends on vulnerable versions of string-length node_modules/jest/node_modules/@jest/reporters @jest/core <=25.5.4 Depends on vulnerable versions of @jest/reporters node_modules/jest/node_modules/@jest/core jest 24.2.0-alpha.0 - 25.5.4 Depends on vulnerable versions of @jest/core Depends on vulnerable versions of jest-cli node_modules/jest jest-cli 24.2.0-alpha.0 - 25.5.4 Depends on vulnerable versions of @jest/core node_modules/jest/node_modules/jest-cli jest-watcher <=26.0.0-alpha.2 Depends on vulnerable versions of string-length node_modules/jest/node_modules/jest-watcher string-width 2.1.0 - 4.1.0 Depends on vulnerable versions of strip-ansi node_modules/string-width node_modules/table/node_modules/string-width node_modules/yargs/node_modules/string-width table 4.0.2 - 5.4.6 Depends on vulnerable versions of string-width node_modules/table widest-line 2.0.0 - 2.0.1 Depends on vulnerable versions of string-width node_modules/widest-line boxen 1.3.0 - 3.2.0 Depends on vulnerable versions of widest-line node_modules/boxen wrap-ansi 3.0.0 - 6.1.0 Depends on vulnerable versions of string-width Depends on vulnerable versions of strip-ansi node_modules/yargs/node_modules/wrap-ansi dot-prop <4.2.1 Severity: high Prototype Pollution in dot-prop - https://github.com/advisories/GHSA-ff7x-qrg7-qggm fix available via `npm audit fix` node_modules/dot-prop glob-parent <5.1.2 Severity: high Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via `npm audit fix --force` Will install nodemon@2.0.15, which is a breaking change node_modules/eslint/node_modules/glob-parent node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar nodemon 1.4.2 - 1.19.4 Depends on vulnerable versions of chokidar node_modules/nodemon hosted-git-info <2.8.9 Severity: moderate Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj fix available via `npm audit fix` node_modules/hosted-git-info jpeg-js <0.4.0 Severity: moderate Uncontrolled resource consumption in jpeg-js - https://github.com/advisories/GHSA-w7q9-p3jq-fmhm fix available via `npm audit fix --force` Will install jimp@0.16.1, which is a breaking change node_modules/jpeg-js @jimp/jpeg <=0.12.0 Depends on vulnerable versions of jpeg-js node_modules/@jimp/jpeg @jimp/types <=0.11.1-canary.891.908.0 Depends on vulnerable versions of @jimp/jpeg node_modules/@jimp/types jimp 0.3.6-alpha.5 - 0.11.1-canary.891.908.0 Depends on vulnerable versions of @jimp/types node_modules/jimp json-schema <0.4.0 Severity: moderate json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw fix available via `npm audit fix` node_modules/json-schema jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1 Depends on vulnerable versions of json-schema node_modules/jsprim kind-of 6.0.0 - 6.0.2 Severity: high Validation Bypass in kind-of - https://github.com/advisories/GHSA-6c8f-qphg-qjgp fix available via `npm audit fix` node_modules/base/node_modules/kind-of node_modules/extglob/node_modules/kind-of node_modules/snapdragon-node/node_modules/kind-of minimist >=1.0.0 <1.2.3 || <0.2.1 Severity: moderate Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m fix available via `npm audit fix` node_modules/fsevents/node_modules/minimist node_modules/fsevents/node_modules/rc/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/fsevents/node_modules/mkdirp node-notifier <8.0.1 Severity: moderate OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p fix available via `npm audit fix --force` Will install jest@27.4.3, which is a breaking change node_modules/node-notifier @jest/reporters <=26.4.0 Depends on vulnerable versions of node-notifier Depends on vulnerable versions of string-length node_modules/jest/node_modules/@jest/reporters @jest/core <=25.5.4 Depends on vulnerable versions of @jest/reporters node_modules/jest/node_modules/@jest/core jest 24.2.0-alpha.0 - 25.5.4 Depends on vulnerable versions of @jest/core Depends on vulnerable versions of jest-cli node_modules/jest jest-cli 24.2.0-alpha.0 - 25.5.4 Depends on vulnerable versions of @jest/core node_modules/jest/node_modules/jest-cli nodemailer <=6.4.15 Severity: critical Command injection in nodemailer - https://github.com/advisories/GHSA-48ww-j4fc-435p Depends on vulnerable versions of nodemailer-smtp-transport fix available via `npm audit fix --force` Will install nodemailer@6.7.2, which is a breaking change node_modules/nodemailer nth-check <2.0.1 Severity: moderate Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via `npm audit fix --force` Will install cheerio@1.0.0-rc.10, which is a breaking change node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/css-select cheerio 0.19.0 - 1.0.0-rc.3 Depends on vulnerable versions of css-select node_modules/cheerio path-parse <1.0.7 Severity: moderate Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9 fix available via `npm audit fix` node_modules/eslint-import-resolver-node/node_modules/path-parse node_modules/eslint-plugin-import/node_modules/path-parse node_modules/jest/node_modules/path-parse node_modules/path-parse postcss 7.0.0 - 7.0.35 Severity: moderate Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3 fix available via `npm audit fix` node_modules/postcss pug <3.0.1 Severity: high Remote code execution via the `pretty` option. - https://github.com/advisories/GHSA-p493-635q-r6gr fix available via `npm audit fix --force` Will install pug@3.0.2, which is a breaking change node_modules/pug sanitize-html <=2.3.1 Severity: moderate Improper Input Validation in sanitize-html - https://github.com/advisories/GHSA-rjqq-98f6-6j3r Improper Input Validation in sanitize-html - https://github.com/advisories/GHSA-mjxr-4v3x-q3m4 fix available via `npm audit fix --force` Will install sanitize-html@2.6.0, which is a breaking change node_modules/sanitize-html tar <=4.4.17 Severity: high Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw fix available via `npm audit fix` node_modules/fsevents/node_modules/tar node_modules/tar tmpl <1.0.5 Severity: moderate Regular Expression Denial of Service in tmpl - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v fix available via `npm audit fix` node_modules/tmpl underscore 1.3.2 - 1.12.0 Severity: high Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq fix available via `npm audit fix --force` Will install nodemailer@6.7.2, which is a breaking change node_modules/nodepub/node_modules/underscore node_modules/underscore httpntlm 1.5.0 - 1.7.6 Depends on vulnerable versions of underscore node_modules/httpntlm smtp-connection 2.4.0-beta.0 - 3.2.0 Depends on vulnerable versions of httpntlm node_modules/smtp-connection nodemailer-direct-transport 2.0.0-beta.0 - 2.0.0-beta.2 || >=3.1.0 Depends on vulnerable versions of smtp-connection node_modules/nodemailer-direct-transport nodemailer-smtp-pool 2.0.0-beta.0 - 2.0.0-beta.1 || >=2.6.0 Depends on vulnerable versions of smtp-connection node_modules/nodemailer-smtp-pool nodemailer-smtp-transport 2.0.0-beta.0 - 2.0.0-beta.1 || >=2.5.0 Depends on vulnerable versions of smtp-connection node_modules/nodemailer-smtp-transport nodemailer <=6.4.15 Depends on vulnerable versions of nodemailer-smtp-transport node_modules/nodemailer validator <13.7.0 Severity: moderate Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5 fix available via `npm audit fix --force` Will install sequelize@6.11.0, which is a breaking change node_modules/validator sequelize 0.0.0-development || 1.3.0 - 6.6.4 || >=6.12.0-alpha.1 Depends on vulnerable versions of validator node_modules/sequelize yargs-parser 6.0.0 - 13.1.1 Severity: moderate Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp fix available via `npm audit fix` node_modules/yargs/node_modules/yargs-parser 55 vulnerabilities (41 moderate, 13 high, 1 critical) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force ```