search

nest-modules / mailer

📨 A mailer module for Nest framework (node.js)
https://nest-modules.github.io/mailer/
MIT License
846 stars 177 forks source link

Npm audit finding severity "high" pac-resolver -> 5.0.0 #691

Closed sjkummer closed 10 months ago

sjkummer commented 3 years ago 
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ pac-resolver                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @nestjs-modules/mailer                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @nestjs-modules/mailer > inline-css > extract-css >          │
│               │ href-content > remote-content > superagent-proxy >           │
│               │ proxy-agent > pac-proxy-agent > pac-resolver                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1784                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
ArielPrevu3D commented 3 years ago

It looks like the inline-css and extract-css do not have a fix for this. The closest dependency to pac-resolver in the chain that provides a fix is superagent-proxy@3.0.0.

https://nvd.nist.gov/vuln/detail/CVE-2021-23406

It seems like forcing degenerator@3.0.1 using npm-force-resolutions is a viable workaround.

EDIT: nevermind, only vulnerable versions of degenerator seem to be compatible with nest mailer

alumni commented 3 years ago

Besides pac-resolver and degenerator, inline-css brings 2 other packages with security issues: css-what and nth-check.

See:

holm commented 3 years ago

Perhaps a better strategy would be to have inline-css as an optional dependency? It also seems to bring with it an incredibly amount of dependencies, which would be nice to avoid if you don't want to use that feature.