search

infinitered / solidarity

Solidarity is an environment checker for project dependencies across multiple machines.
https://infinitered.github.io/solidarity/
MIT License
640 stars 49 forks source link

npm audit shows solidarity containing 10 vulnerabilities (6 moderate, 2 high, 2 critical) #270

Open FrederickEngelhardt opened 5 months ago

FrederickEngelhardt commented 5 months ago

Describe the bug Installing solidarity in a blank repo reveals the following issues on solidarity `"3.0.4".

Most of these issues seem to be brought in with gluegun@4.7.1. They look to removed / fixed in higher versions of gluegun. IE 5.1.6 had 7 moderate issues.

Hoping these issues can be fixed and keep the soldarity cli working without bringing in vulnerabilities.

Stop-gap

Below is an example of the npm overrides (for yarn use resolutions) to fix only the critical and high vulnerabilities.

Package.json

{
  "overrides": {
    "axios": "1.7.2",
    "ejs": ">=3.1.10",
    "json5": ">=2.2.3",
    "lodash": "4.17.21",
    "set-value": ">=4.1.0"
  }
}

To Reproduce Steps to reproduce the behavior:

I swapped to npm ^10.x.x. This can be done on node >=18.20 (10.7.0) or higher versions. The current version I was using was node@22.4.0 with npm@10.8.1. Node version should not matter...but having a higher version of yarn or npm ideally helps debug these dependency vulnerabilities.

Script to make a empty repo and install things

mkdir solidarity-test
cd solidarity-test
npm init -y
npm i -D solidarity@3.0.4
npm audit > npm-audit.log

Audit output

Here is the audit output for solidarity installed in isolation at 3.0.4

```bash # npm audit report axios 0.8.1 - 0.27.2 Severity: moderate Axios Cross-Site Request Forgery Vulnerability - fix available via `npm audit fix --force` Will install solidarity@2.1.0, which is a breaking change node_modules/axios apisauce <=3.0.0 Depends on vulnerable versions of axios node_modules/apisauce gluegun >=0.3.0 Depends on vulnerable versions of apisauce Depends on vulnerable versions of ejs Depends on vulnerable versions of lodash.trim Depends on vulnerable versions of lodash.trimend Depends on vulnerable versions of yargs-parser node_modules/solidarity/node_modules/gluegun solidarity >=0.1.0 Depends on vulnerable versions of gluegun Depends on vulnerable versions of json5 node_modules/solidarity ejs <=3.1.9 Severity: critical ejs template injection vulnerability - ejs lacks certain pollution protection - fix available via `npm audit fix --force` Will install solidarity@2.1.0, which is a breaking change node_modules/solidarity/node_modules/ejs json5 2.0.0 - 2.2.1 Severity: high Prototype Pollution in JSON5 via Parse Method - fix available via `npm audit fix --force` Will install solidarity@2.1.0, which is a breaking change node_modules/json5 lodash.trim * Severity: moderate Regular Expression Denial of Service (ReDoS) in lodash - fix available via `npm audit fix --force` Will install solidarity@2.1.0, which is a breaking change node_modules/lodash.trim lodash.trimend * Severity: moderate Regular Expression Denial of Service (ReDoS) in lodash - fix available via `npm audit fix` node_modules/lodash.trimend semver 7.0.0 - 7.5.1 Severity: moderate semver vulnerable to Regular Expression Denial of Service - fix available via `npm audit fix` node_modules/semver yargs-parser >=16.0.0 <18.1.1 Severity: moderate yargs-parser Vulnerable to Prototype Pollution - fix available via `npm audit fix --force` Will install solidarity@2.1.0, which is a breaking change node_modules/solidarity/node_modules/yargs-parser 10 vulnerabilities (6 moderate, 2 high, 2 critical) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force ```

Expected behavior

Solidarity should not bring in dependencies versions with known vulnerabilities hopefully 0 moderate issues, but no high and critical flagged issues.

Screenshots N/A

Doctor (please complete the following information)

Additional context Add any other context about the problem here.