Upgrade fast-xml-parser for security update

pnp / cli-microsoft365

Manage Microsoft 365 and SharePoint Framework projects on any platform

https://aka.ms/cli-m365

MIT License

906 stars 317 forks source link

Upgrade fast-xml-parser for security update #6251

Open priyaananthasankar opened 4 weeks ago

priyaananthasankar commented 4 weeks ago

Priority

(Medium) I'm annoyed but I'll live

Description

This internal dependency shows up in vuln scans for azure cloud shell that pulls from this repo:

fast-xml-parser usr/lib/nodemodules/@pnp/cli-microsoft365/nodemodules/fast-xml-parser/package.json. It shows as needs to be updated from 4.4.0 to 4.4.1

Please let us know if this patch is underway.

Steps to reproduce

N/A

Expected results

Upgrade 4.4.0 to 4.4.1 for fast-xml-parser.

Actual results

4.4.0

Diagnostics

No response

CLI for Microsoft 365 version

v6.11.0

nodejs version

v16.20.1

Operating system (environment)

Linux

Shell

Other

cli doctor

No response

Additional Info

No response

waldekmastykarz commented 4 weeks ago

Thanks for raising the issue. fast-xml-parser is a downstream dependency of adaptive-expressions so the authors should update it there so that we can pull it in. Also, given the nature of the discovered vulnerability, how do you see it being abused in a tool like CLI that's typically used without direct user input that could be malformed?

priyaananthasankar commented 3 weeks ago

@waldekmastykarz : good question. I am from the azure cloud shell team. Shell is used downstream by other services. at the moment we are not considering exploitability of the vuln, but we are expected to patch vulns ASAP due to security focus. How often do you pull the changes in?

milanholemans commented 3 weeks ago

@waldekmastykarz : good question. I am from the azure cloud shell team. Shell is used downstream by other services. at the moment we are not considering exploitability of the vuln, but we are expected to patch vulns ASAP due to security focus. How often do you pull the changes in?

We update all our dependencies to their latest version every month. At the end of each month, we publish a new release. We have our next PR ready https://github.com/pnp/cli-microsoft365/pull/6230

priyaananthasankar commented 3 weeks ago

Thanks @waldekmastykarz - Just spoke to Tracy Boehrer from https://github.com/microsoft/botbuilder-js/releases and they plan to release a version of this in 2 weeks or earlier. And it seems like adaptive-expressions already upped the version to 4.4.1 https://github.com/microsoft/botbuilder-js/blob/0f1dd7e520847a4aaaa21820629b4dbfdd989142/libraries/adaptive-expressions/package.json#L39

Keeping this open to track this merge.

waldekmastykarz commented 3 weeks ago

Thank you for bringing this to our attention @priyaananthasankar and additional information about the botbuilder package. We'll update our dependencies as soon as a new version of botbuilder is available.

I wonder if there's something wrong with the package though. If I look at the link you included it shows package version 4.1.6 with fast-xml-parser 4.4.1.

If I however look at the package that's on npm, here's what I'm seeing (https://www.npmjs.com/package/adaptive-expressions?activeTab=code):

This explains why despite using a newer version, we're still on the older version of fast-xml-parser.