search

preactjs / preact-cli

😺 Your next Preact PWA starts in 30 seconds.
MIT License
4.69k stars 375 forks source link

Security vulnerabilities in acorn and serialize-javascript in generated app #1385

Closed Anders-E closed 2 years ago

Anders-E commented 4 years ago

Do you want to request a feature or report a bug?

Report a bug.

What is the current behaviour?

preact-cli currently generates apps with 3 dependencies with vulnerabilities.

The results of running npm audit on a fresh project generated by preact create default my-app:


                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Moderate        Regular Expression Denial of Service

  Package         acorn

  Patched in      >=5.7.4 <6.0.0 || >=6.4.1 <7.0.0 || >=7.1.1

  Dependency of   preact-cli [dev]

  Path            preact-cli > fast-async > nodent-compiler > acorn

  More info       https://npmjs.com/advisories/1488

  High            Remote Code Execution

  Patched in      >=3.1.0

  Dependency of   preact-cli [dev]

  Path            preact-cli > copy-webpack-plugin > serialize-javascript

  More info       https://npmjs.com/advisories/1548

  High            Remote Code Execution

  Package         serialize-javascript

  Patched in      >=3.1.0

  Dependency of   preact-cli [dev]

  Path            preact-cli > workbox-webpack-plugin > workbox-build >
                  rollup-plugin-terser > serialize-javascript

  More info       https://npmjs.com/advisories/1548

If the current behaviour is a bug, please provide the steps to reproduce.

$ preact create default my-app
$ cd my-app
$ npm audit

What is the expected behaviour?

No vulnerabilities.

Please mention other relevant information.

Please paste the results of preact info here.

Environment Info:
  System:
    OS: Windows 10 10.0.19041
    CPU: (8) ia32 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz
  Binaries:
    Node: 12.13.1 - C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VisualStudio\NodeJs\node.EXE
    npm: 6.13.4 - C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VisualStudio\NodeJs\npm.CMD
  Browsers:
    Chrome: 84.0.4147.135
    Edge: Spartan (44.19041.423.0)
  npmPackages:
    preact: ^10.3.2 => 10.4.7
    preact-cli: ^3.0.0 => 3.0.1
    preact-render-to-string: ^5.1.4 => 5.1.10
    preact-router: ^3.2.1 => 3.2.1
developit commented 4 years ago

Since both tools are only used at build time and serialize-javascript is never used to generate executable JS, these are superficial vulnerabilities. Nice to fix the warnings, but they are meaningless in this case.

Anders-E commented 4 years ago

@developit

I agree completely, but as you said, having the warnings gone would feel better since this is probably most people's first impression of Preact.

rschristian commented 4 years ago

PRs are always open and appreciated if you'd like to submit a fix for these.