npm found vulnerabilities

samreid commented 4 years ago

Recently I have seen this message many times after npm update or npm install. Does this require attention?

found 3 vulnerabilities (2 low, 1 high)
  run `npm audit fix` to fix them, or `npm audit` for details

pixelzoom commented 4 years ago

3/5/20 dev meeting: Assigned to @ariel-phet to prioritize and assign.

samreid commented 4 years ago

The vulnerabilities are related to qunit and puppeteer. A reasonable first step would be to update our project to use the latest version of each:

~/github/chipper$ npm audit

                       === npm audit security report ===                        

# Run  npm install --save-dev qunit@2.9.3  to resolve 2 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ qunit [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ qunit > chokidar > anymatch > micromatch > braces            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ qunit [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ qunit > findup-sync > micromatch > braces                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

# Run  npm install --save-dev puppeteer@2.1.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Use-After-Free                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ puppeteer                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ puppeteer [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ puppeteer                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/824                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

found 3 vulnerabilities (2 low, 1 high) in 13277 scanned packages
  run `npm audit fix` to fix 2 of them.
  1 vulnerability requires semver-major dependency updates.

mattpen commented 4 years ago

@ariel-phet asked me to look into the puppeteer usage. The puppeteer version used here in chipper is not something I'm familiar with. I'm only familiar with the usage in website-meteor, which is using a newer version (2.0.0) and is not reporting a severe vulnerability. In chipper, puppeteer appears to only be used in generatePhetioAPIFiles.js, and the authors listed are @zepumph @samreid and @chrisklus. Perhaps one of them is familiar and can evaluate the breaking api changes in v2.

zepumph commented 4 years ago

Thanks for the ping and investigation. We will try to update to the new version quickly.

ariel-phet commented 4 years ago

@zepumph and @chrisklus it seems (as @zepumph marked) this should be high priority - security vulnerabilities seem good to deal with as related to iO

zepumph commented 4 years ago

A few notes:

I updated puppeteer in chipper and it removed the vulnerability. grunt generate-phet-io-api-files still works as expected when I tested projectile-motion.
When I ran npm audit (after creating a pack-lock.json), there were hundreds of low priority vulnerabilities, and they mostly came from webpack and its dependencies. I was able to npm audit fix it down to 171 low (from over 400), but couldn't get lower than that. I don't think we need to do anything for this.
There are still 4 vulnerabilities from what I see, and they all come from istanbul, which we use for generating code coverage. I made sure that it was at its latest version (which it was). I don't know how to fix this, and I don't think that we should try.

I'm not sure where the qunit vulnerability went.

I personally am ready to close this issue, but would like it if someone else could sign off on that first. @mattpen anything else to do here?

samreid commented 4 years ago

I don't think we support code coverage tests anymore, please see #895, maybe istanbul can simply be removed for now.

mattpen commented 4 years ago

I'm not sure what else I can do here. Please reassign me if needed.

zepumph commented 4 years ago

I pinged https://github.com/phetsims/chipper/issues/895 to handle istanbul. I'm going to close this issue. Please reopen if you feel differently.

phetsims / chipper

npm found vulnerabilities #901