search

nasa / openmct

A web based mission control framework.
https://nasa.github.io/openmct/
Other
12k stars 1.24k forks source link

[Build] Address vulnerabilities reported by npm #2449

Open akhenry opened 5 years ago

akhenry commented 5 years ago

NPM is currently reporting a number of vulnerabilities in dependencies. Many of these vulnerabilities are in the dev server and build tooling, and do not represent vulnerabilities in the running application itself.

Will address by updating dependency versions and regression testing for next release.

unlikelyzero commented 2 years ago

At the time that this was filed, at least one package was vulnerable. When we removed karma-html-reporter https://github.com/nasa/openmct/pull/4416 we removed most of the security issues found in our repo reported from lodash

At this time, there is only a single vulnerability reported on the webpack5-upgrade branch:

                       === npm audit security report ===

# Run  npm install --save-dev eslint@8.1.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint > table > string-width > strip-ansi > ansi-regex      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
unlikelyzero commented 2 years ago

Normally, dependabot would detect these vulnerabilities for us and open a PR. Unfortunately, because of https://github.com/nasa/openmct/issues/4428 we are not aware of these vulnerabilities. We should consider:

  1. adding additional steps to our npm scripts
  2. Update CircleCI config to include a npm audit --audit-level=medium
  3. Enable more dependencies to monitor in our dependabot.yaml config
unlikelyzero commented 2 years ago

Testing Notes

Run npm audit and verify that there are no >=Medium security issues Verify that the nightly CircleCI job includes a failed step for npm audit --audit-level=low

khalidadil commented 2 years ago

I'm not sure if I'm doing this correctly. I pulled down release/1.8.1 and on running npm audit I'm seeing 27 vulnerabilities, 17 moderate and 10 high.

Screen Shot 2021-11-15 at 5 00 57 PM

unlikelyzero commented 2 years ago

@khalidadil that is correct! This is now blocked by the webpack PR

unlikelyzero commented 2 years ago

Note: This is blocked on the webpack PR. Re-opening