search

mozilla / web-ext

A command line tool to help build, run, and test web extensions
Mozilla Public License 2.0
2.67k stars 334 forks source link

security issues in v7 dependencies #2678

Open willdurand opened 1 year ago

willdurand commented 1 year ago 
> web-ext@7.5.0 audit-deps /home/circleci/web-ext
> node ./scripts/audit-deps

== audit-deps: blocking security issues

request (https://github.com/advisories/GHSA-p8p7-x288-28g6):
  2.88.2, paths: sign-addon>request
Araxeus commented 1 year ago

Shame that https://github.com/mozilla/web-ext/pull/2688 wasn't included in the last hotfix

@willdurand any ETA for when will a new version be released?

hymccord commented 1 year ago

@Araxeus That wouldn't help anyhow. sign-addon 6.0.0 still depends on request 2.88.2

willdurand commented 1 year ago

See also: https://github.com/mozilla/web-ext/pull/2822#issuecomment-1640054212

aspiers commented 3 months ago

It's not just request which is the issue here; sign-addon is no longer maintained.

willdurand commented 3 months ago

Yeah, sign-addon is no longer maintained because we're about to release web-ext v8.

willdurand commented 3 months ago

There is a new one:

jose (https://github.com/advisories/GHSA-hhhv-q57g-882q):
  4.13.1, paths: jose
Rob--W commented 3 months ago

Is https://github.com/mozilla/web-ext/issues/3106 a duplicate of this?

willdurand commented 3 months ago

Is #3106 a duplicate of this?

I think so, yeah

GabenGar commented 2 months ago

There is still a warning in v8.0.0, this time asking to downgrade to 5.3.0:

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix --force`
Will install web-ext@5.3.0, which is a breaking change
node_modules/express
  addons-scanner-utils  *
  Depends on vulnerable versions of express
  node_modules/addons-linter/node_modules/addons-scanner-utils
    addons-linter  >=2.11.0
    Depends on vulnerable versions of addons-scanner-utils
    node_modules/addons-linter
      web-ext  >=5.4.0
      Depends on vulnerable versions of addons-linter
      node_modules/web-ext
willdurand commented 2 months ago

I am not clear on how you are getting this, could you please paste the full command?

GabenGar commented 2 months ago

You can trigger this audit message if you install web-ext and express in the same project:

mkdir test
cd test
npm init --yes
npm install --save-dev web-ext
npm audit
npm install express@4.19.2
npm audit

Then clean up folder and install them in different order, thus proving express is not a sole source of the warning:

npm uninstall express web-ext
rm --recurse node_modules package-lock.json
npm install express@4.19.2
npm audit
npm install --save-dev web-ext
npm audit

Resorting to drastic measure of nuking node_modules and package-lock.json because I found the warning persists without doing it. The source of the problem probably goes deeper than addons-linter, because the warning exists even with 8.1.0.

Standard8 commented 2 months ago

Is there a reason why web-ext uses strict dependencies? For example, ws has a vulnerability in 8.17.0, but we can't automatically update to the minor version 8.17.1 that fixes it, because web-ext is specifying the strict dependency.

(if it is better to raise this in a new issue, I'm happy to do so).

fregante commented 3 weeks ago

sign-addon and request are no longer part of web-ext.

This issue can be closed.