search

japa / assert

Assertions package for Japa. Built on top of Chai.Assert
https://japa.dev/docs/plugins/assert
MIT License
7 stars 3 forks source link

@japa/assert depends on api-contract-validator that has security vulnerabilities #2

Open ThisIsMissEm opened 6 months ago

ThisIsMissEm commented 6 months ago

Package version

3.0.0

Describe the bug

After doing a fresh install of @japa/assert version 3.0.0 in a fresh adonis.js project, npm audit yells about a Prototype Pollution in lodash security vulnerability - https://github.com/advisories/GHSA-p6mc-m468-83gw

It seems that this comes from the api-contract-validator plugin; Looking at their repository, it looks like this package has become unmaintained as it hasn't seen a commit in 2 years, and has lots of open pull requests.

It may be an idea to fork into a @japa/api-contract-validator package, such that you can maintain this dependency that seems fairly critical to @japa/assert, since upstream isn't maintaining the api-contract-validator package.

Reproduction repo

No response

ThisIsMissEm commented 6 months ago

I asked this on the Adonis Discord, and was suggested to open an issue here.

NicolasMarino commented 6 months ago

+1

thetutlage commented 6 months ago

It will be a huge task to maintain one more package without completely understanding the OpenAPI spec (I am not an expert with it 😄).

So, for now, I will keep this issue open and see if I am willing to fork and maintain it anytime soon.

Meanwhile, if you come across another well-maintained package, then do update this thread, and we can move to that package (if it looks like a good alternative)

ThisIsMissEm commented 6 months ago

@thetutlage what about moving api assertions into a separate package? That way you've a secure core, without the need to maintain the dependency?

(Of course it is one more package to maintain)

thetutlage commented 6 months ago

Yeah we can do that in the next coming major release. The API schema assertions can be its own Japa plugin.

stale[bot] commented 4 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

RomainLanz commented 4 months ago

Keep open

ZUHOWKS commented 2 months ago 
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install @japa/assert@1.2.4, which is a breaking change
node_modules/lodash.set
  api-contract-validator  >=2.1.0
  Depends on vulnerable versions of lodash.set
  node_modules/api-contract-validator
    @japa/assert  >=1.3.0
    Depends on vulnerable versions of api-contract-validator
    node_modules/@japa/assert
      @japa/api-client  >=2.0.0-0
fix available via `npm audit fix --force`
Will install @japa/assert@1.2.4, which is a breaking change
node_modules/lodash.set
  api-contract-validator  >=2.1.0
  Depends on vulnerable versions of lodash.set
  node_modules/api-contract-validator
    @japa/assert  >=1.3.0
    Depends on vulnerable versions of api-contract-validator
    node_modules/@japa/assert
      @japa/api-client  >=2.0.0-0
      Depends on vulnerable versions of @japa/assert
      node_modules/@japa/api-client
        @adonisjs/auth  >=9.0.0-0
        Depends on vulnerable versions of @japa/api-client
        Depends on vulnerable versions of @japa/plugin-adonisjs
        node_modules/@adonisjs/auth
        @japa/plugin-adonisjs  >=2.0.0-0
        Depends on vulnerable versions of @japa/api-client
        node_modules/@japa/plugin-adonisjs
marvin-wtt commented 1 week ago

Any update on this?

thetutlage commented 5 days ago

Nope. No updates. Feel free to send a PR with the fix 👍

marvin-wtt commented 3 days ago

I'd offer to create a PR, but I don't know how to proceed here. As far as I know, there are only two packages:

api-contract-validator

chai-openapi-response-validator

So both don't really do the trick. Just accepting that there are vulnerabilities that will never be fixed is not an option either. So what to do?

ThisIsMissEm commented 3 days ago

I'd probably suggest moving the japa api contract validation into a separate japa package which is optional, and then if you need it you take on that security risk until it's improved. That at least improves the situation for everyone who's just doing unit tests with japa

marvin-wtt commented 2 days ago

That at least improves the situation for everyone who's just doing unit tests with japa

Also for everyone who just uses adonis.js