search

minvws / nl-rdo-manon

Manon is een design framework
https://minvws.github.io/nl-rdo-manon/
Other
8 stars 4 forks source link

Remove `auditConfig` when `elliptic` CVEs are resolved. #615

Closed ppvg closed 3 months ago

ppvg commented 3 months ago

Currently the package.json includes an auditConfig (added in #614) to ignore the CVEs https://github.com/advisories/GHSA-49q7-c7j4-3p7m, https://github.com/advisories/GHSA-977x-g7h5-7qgw and https://github.com/advisories/GHSA-f7q4-pwc6-w24p. These are all for the elliptic package, which is a dev-only dependency of one of our example app (which doesn't run in CI and is not a dependency for the published npm packages).

The auditConfig can be removed as soon as these CVEs are resolved or the laravel-mix example app is removed.

gerbrand-bosch commented 3 months ago

It looks like it's resolved in https://github.com/indutny/elliptic/releases/tag/v6.5.7.

ppvg commented 3 months ago

It looks like it's resolved in https://github.com/indutny/elliptic/releases/tag/v6.5.7.

Yup, now two more things need to happen before we can remove the auditConfig:

  1. the three advisories are updated to flag 6.5.7 as not vulnerable, and
  2. either: a. we wait until all dependencies in the chain (as listed in the result of pnpm audit, see below) are updated, or b. we add an pnpm.overrides to force the use of elliptic 6.5.7.
The result of pnpm audit main ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ low │ Elliptic's ECDSA missing check for whether leading bit │ │ │ of r and s is zero │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ elliptic │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Vulnerable versions │ >=2.0.0 <=6.5.6 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ <0.0.0 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ examples/laravel-mix > laravel-mix@6.0.49 > │ │ │ node-libs-browser@2.2.1 > crypto-browserify@3.12.0 > │ │ │ browserify-sign@4.2.3 > elliptic@6.5.5 │ │ │ │ │ │ examples/laravel-mix > laravel-mix@6.0.49 > │ │ │ node-libs-browser@2.2.1 > crypto-browserify@3.12.0 > │ │ │ create-ecdh@4.0.4 > elliptic@6.5.5 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-977x-g7h5-7qgw │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ low │ Elliptic's EDDSA missing signature length check │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ elliptic │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Vulnerable versions │ >=4.0.0 <=6.5.6 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ <0.0.0 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ examples/laravel-mix > laravel-mix@6.0.49 > │ │ │ node-libs-browser@2.2.1 > crypto-browserify@3.12.0 > │ │ │ browserify-sign@4.2.3 > elliptic@6.5.5 │ │ │ │ │ │ examples/laravel-mix > laravel-mix@6.0.49 > │ │ │ node-libs-browser@2.2.1 > crypto-browserify@3.12.0 > │ │ │ create-ecdh@4.0.4 > elliptic@6.5.5 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-f7q4-pwc6-w24p │ └─────────────────────┴────────────────────────────────────────────────────────┘ ┌─────────────────────┬────────────────────────────────────────────────────────┐ │ low │ Elliptic allows BER-encoded signatures │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Package │ elliptic │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Vulnerable versions │ >=5.2.1 <=6.5.6 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Patched versions │ <0.0.0 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ Paths │ examples/laravel-mix > laravel-mix@6.0.49 > │ │ │ node-libs-browser@2.2.1 > crypto-browserify@3.12.0 > │ │ │ browserify-sign@4.2.3 > elliptic@6.5.5 │ │ │ │ │ │ examples/laravel-mix > laravel-mix@6.0.49 > │ │ │ node-libs-browser@2.2.1 > crypto-browserify@3.12.0 > │ │ │ create-ecdh@4.0.4 > elliptic@6.5.5 │ ├─────────────────────┼────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-49q7-c7j4-3p7m │ └─────────────────────┴────────────────────────────────────────────────────────┘ 3 vulnerabilities found Severity: 3 low

Since these are dev-only dependencies, isolated to the example app, I think we can wait. :)