[data grid] Snyk warning for inflight through exceljs

[jsyvino]

The problem in depth

We recently upgraded our MUI pro license to MUI premium, but after making the code changes our Static Application Security Testing software (Snyk) is now surfacing a vulnerability introduced by @mui/x-data-grid-premium

It seems it is introduced through this path: @mui/x-data-grid-premium@7.4.0 › exceljs@4.4.0 › archiver@5.3.2 › archiver-utils@2.1.0 › glob@7.2.3 › inflight@1.0.6

(I know above it says @mui/x-data-grid-premium@7.4.0, but v7.5.0 also uses exceljs@4.4.0 and this was tested)

Here is the relevant link to the issue in inflight: https://github.com/isaacs/inflight/issues/5

We are unable to use MUI Pro if it does not meet our security requirements and we are unsure how to get around this one.

I am noticing glob v9.0.0 does not have this vulnerability, archiver-utils v5.0.0 does not have this vulnerability, archiver v7.0.0 does not have this vulnerability. Any chance either of those could be pinned on your end? No clue if this is helpful, just sharing what I have found

Your environment

`npx @mui/envinfo`

``` System: OS: macOS 13.6 Binaries: Node: 18.6.0 - /opt/homebrew/bin/node npm: 8.19.2 - /opt/homebrew/bin/npm pnpm: Not Found Browsers: Chrome: 124.0.6367.208 Edge: Not Found Safari: 16.6 ```

Search keywords: inflight@1.0.6, security vulnerability

Duplicates

• https://groups.google.com/a/mui.com/g/security/c/6nR3Cqtl1OI
• https://mui.zendesk.com/agent/tickets/19538

[github-actions[bot]]

You have created a support request under the "Priority Support" terms, which is a paid add-on to MUI X Premium ⏰. Please validate your support key using the link below:

https://tools-public.mui.com/prod/pages/jyhs86t?repo=mui-x&issueId=13187

Do not share your support key in this issue!

Priority Support is only provided to verified customers. Once you have verified your support key, we will remove the support: unknown label and add the support: priority label to this issue. Only then the time for the SLA will start counting.

[jsyvino]

Ahh, I misunderstood and thought this was included with the MUI premium license, it looks like our support key is not valid for this

[romgrk]

Fwiw, this vulnerability does not apply in any way to frontend code, it can only affect nodejs HTTP requests, and the code related to it is not shipped in your bundle (I think). We're going to look into the exceljs issue, but this is not a security issue for the datagrid.

[cherniavskii]

Hi @jsyvino Thanks for raising this issue!

Are you using npm as your package manager? Can you try adding these overrides to your package.json?

"overrides": {
  "@mui/x-data-grid-premium": {
    "exceljs": {
      "archiver": "7.0.1",
      "unzipper": {
        ".": "0.10.14",
        "fstream": {
          ".": "1.0.12",
          "rimraf": "4.4.1"
        }
      }
    }
  }
}

These overrides upgrade dependencies that have no breaking changes. I tested this in https://github.com/cherniavskii/data-grid-premium-test and the Excel export works fine while the inflight package is not installed:

$ npm ls inflight
data-grid-premium-test@1.0.0 /Users/work/workspace/data-grid-premium-test
└── (empty)

[jsyvino]

@cherniavskii thanks for this, yes this is what we did for now, it just doesn't feel like a great long term solution

[cherniavskii]

@jsyvino This would be the suggested workaround for now. I tried overriding the dependencies on our side in https://github.com/mui/mui-x/pull/13216, but it didn't work. Apparently, these overrides are only applied if they're defined in the project's root package.json.

We are considering forking exceljs: https://github.com/exceljs/exceljs/issues/2764