search

hpi-sam / digital-fuesim-manv

A German simulation system for training emergency medical services leadership personnel on how to manage Mass Casualty Incidents.
https://fuesim-manv.de/
GNU Affero General Public License v3.0
16 stars 8 forks source link

update dependencies (CI is failing #1038

Open anonym-HPI opened 1 year ago

anonym-HPI commented 1 year ago

PR Checklist

Please make sure to fulfil the following conditions before marking this PR ready for review:

It seems that packages, like nyc are out of date and e.g. don't have the newest semver as dependency, which itself has a DDOS vurnerability. We may need to find other packages for the same job.

Packages I found so far seem to be:

@Dassderdie @ClFeSc Can someone of you both help to fix this? E.g. mkdirp was introduced by you @ClFeSc for the npm run merge-coverage command. I tried using npm audit fix --force or even installing packages manually, but as we are using packages that don't have a newer version, but seem to be dependent on a vurnerable semver version or so we probably need to use new packages or need to manually edit the dependencies of these packages and hope that nothing breaks. It seems some packages are also dependent on an older version of semver (version 6), there seems to be @nicolo-ribaudo/semver-v6 used, which should include it. I am not that into the whole npm package system.

This is for example the error output in the root folder:


# npm audit report

semver  <7.5.2    
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install nyc@13.3.0, which is a breaking change
node_modules/semver
  istanbul-lib-instrument  >=1.2.0
  Depends on vulnerable versions of semver
  node_modules/istanbul-lib-instrument
    nyc  >=7.0.0-alpha.1
    Depends on vulnerable versions of caching-transform
    Depends on vulnerable versions of find-cache-dir
    Depends on vulnerable versions of istanbul-lib-instrument
    Depends on vulnerable versions of istanbul-lib-report
    Depends on vulnerable versions of istanbul-reports
    Depends on vulnerable versions of make-dir
    Depends on vulnerable versions of spawn-wrap
    node_modules/nyc
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/make-dir
    caching-transform  >=3.0.2
    Depends on vulnerable versions of make-dir
    node_modules/caching-transform
    find-cache-dir  2.1.0 - 3.3.2
    Depends on vulnerable versions of make-dir
    node_modules/find-cache-dir
    istanbul-lib-report  >=2.0.5
    Depends on vulnerable versions of make-dir
    node_modules/istanbul-lib-report
      istanbul-reports  >=3.0.0-alpha.0
      Depends on vulnerable versions of istanbul-lib-report
      node_modules/istanbul-reports
    spawn-wrap  >=2.0.0-beta.0
    Depends on vulnerable versions of make-dir
    node_modules/spawn-wrap

9 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
Dassderdie commented 1 year ago

I think all of the vulnerabilities are false positives. If a package that we use for e.g. linting or testing imports a package that has a DOS vulnerability we could only DOS ourselves (or make the CI take longer). In addition, it is enough to import a package that has this vulnerability. The affected function in this package doesn't even have to be used anywhere.

I believe this is a fix for it (backport to semver 6) https://github.com/npm/node-semver/pull/593