search

remy / nodemon

Monitor for any changes in your node.js application and automatically restart the server - perfect for development
http://nodemon.io/
MIT License
26.21k stars 1.72k forks source link

Security Issues of Nodemon #2121

Closed venkateswarlumadala closed 1 year ago

venkateswarlumadala commented 1 year ago

I am getting the issues while trying running/building Docker due to nodemon version ---2.0.22. I tried all the recent versions of nodemon but nothing works. the error shows as below.

docker-compose --env-file=./.compose/.compose.local up --build

[+] Building => load build definition from Dockerfile
=> => transferring dockerfile:
=> load .dockerignore
=> CACHED WORKDIR /usr/src/app
=> CACHED COPY package.json ./
=> RUN npm install
=> ERROR RUN npm audit fix --force

RUN npm audit fix --force: npm WARN using --force Recommended protections disabled. npm WARN audit Updating nodemon to 1.14.9,which is a SemVer major change. npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated chokidar@1.7.0: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.

added 235 packages, removed 4 packages, changed 15 packages, and audited 474 packages in 12s

28 packages are looking for funding

run npm fund for details

npm audit report

braces <2.3.1 Regular Expression Denial of Service (ReDoS) in braces - https://github.com/advisories/GHSA-cwfw-4gq5-mrqx fix available via npm audit fix --force Will install nodemon@1.19.4, which is outside the stated dependency range node_modules/braces micromatch 0.2.0 - 2.3.11 Depends on vulnerable versions of braces Depends on vulnerable versions of parse-glob node_modules/micromatch anymatch 1.2.0 - 1.3.2 Depends on vulnerable versions of micromatch node_modules/anymatch chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of anymatch Depends on vulnerable versions of glob-parent node_modules/chokidar nodemon 1.3.5 - 2.0.16 || 2.0.18 Depends on vulnerable versions of chokidar Depends on vulnerable versions of undefsafe Depends on vulnerable versions of update-notifier node_modules/nodemon

glob-parent <5.1.2 Severity: high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via npm audit fix --force Will install nodemon@1.19.4, which is outside the stated dependency range node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of anymatch Depends on vulnerable versions of glob-parent node_modules/chokidar nodemon 1.3.5 - 2.0.16 || 2.0.18 Depends on vulnerable versions of chokidar Depends on vulnerable versions of undefsafe Depends on vulnerable versions of update-notifier node_modules/nodemon glob-base * Depends on vulnerable versions of glob-parent node_modules/glob-base parse-glob >=2.1.0 Depends on vulnerable versions of glob-base node_modules/parse-glob micromatch 0.2.0 - 2.3.11 Depends on vulnerable versions of braces Depends on vulnerable versions of parse-glob node_modules/micromatch anymatch 1.2.0 - 1.3.2 Depends on vulnerable versions of micromatch node_modules/anymatch

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix --force Will install nodemon@1.19.4, which is outside the stated dependency range node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got Depends on vulnerable versions of semver node_modules/package-json latest-version 3.0.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version Depends on vulnerable versions of semver-diff node_modules/update-notifier nodemon 1.3.5 - 2.0.16 || 2.0.18 Depends on vulnerable versions of chokidar Depends on vulnerable versions of undefsafe Depends on vulnerable versions of update-notifier node_modules/nodemon

semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via npm audit fix --force Will install nodemon@1.19.4, which is outside the stated dependency range node_modules/package-json/node_modules/semver node_modules/semver-diff/node_modules/semver package-json <=6.5.0 Depends on vulnerable versions of got Depends on vulnerable versions of semver node_modules/package-json latest-version 3.0.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version Depends on vulnerable versions of semver-diff node_modules/update-notifier nodemon 1.3.5 - 2.0.16 || 2.0.18 Depends on vulnerable versions of chokidar Depends on vulnerable versions of undefsafe Depends on vulnerable versions of update-notifier node_modules/nodemon semver-diff <=3.1.1 Depends on vulnerable versions of semver node_modules/semver-diff

undefsafe <2.0.3 Severity: moderate Prototype Pollution in undefsafe - https://github.com/advisories/GHSA-332q-7ff2-57h2 fix available via npm audit fix --force Will install nodemon@1.19.4, which is outside the stated dependency range node_modules/undefsafe nodemon 1.3.5 - 2.0.16 || 2.0.18 Depends on vulnerable versions of chokidar Depends on vulnerable versions of undefsafe Depends on vulnerable versions of update-notifier node_modules/nodemon

14.28 15 vulnerabilities (2 low, 7 moderate, 6 high)

To address all issues, run:

npm audit fix --force

failed to solve: process "/bin/sh -c npm audit fix --force" did not complete successfully: exit code: 1 The terminal process "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -Command npm run build_local" terminated with exit code: 1.

Terminal will be reused by tasks, press any key to close it.

I am using the below versions of node, npm, nodemon as below

$ node -v v16.16.0

$ npm -v npm WARN config global --global, --local are deprecated. Use --location=global instead. 9.7.2

$ nodemon -v 2.0.22

my project package.json file as shown below

{ "name": "some-x123", "version": "1.0.0", "description": "", "main": "index.js", "dependencies": { "express": "^4.18.2", "express-session": "^1.17.3", "bcryptjs": "^2.4.3", "cookie-parser": "^1.4.6", "cookie-session": "^2.0.0", "cors": "^2.8.5", "dotenv": "^16.3.1", "nodemon": "^2.0.22" }, "scripts": { "test": "echo \"Error: no test specified\" && exit 1", "start": "nodemon --legacy-watch index.js", "build_local": "docker-compose --env-file=./.compose/.compose.local up --build", "start_local": "docker-compose --env-file=./.compose/.compose.local up", "stop_local": "docker-compose --env-file=./.compose/.compose.local -f \"docker-compose.yml\" down", }, "author": "", "license": "ISC" }

my docker file I am using as below

FROM node: xx-version

WORKDIR xx/xx/xx

COPY package.json ./

RUN npm install -g nodemon RUN npm install RUN npm audit fix --force

ADD . .

EXPOSE port-xx

RUN printenv

CMD [ "npm", "run", "start" ]

Ratstail91 commented 1 year ago

Hi! I'm not involved with this project - but I've found that adding this to your package.json will fix things:

 "overrides": {
    "semver": "^7.5.2"
  }

Here's an example in one of my projects: https://github.com/krgamestudios/auth-server/blob/main/package.json

The cause of this is that semver's version hasn't been updated in nodemon yet, so it's still depending on an older version - thankfully, forcing the version to be updated appears to work correctly, though your mileage may vary.

venkateswarlumadala commented 1 year ago

@Ratstail91 thanks for your valuable information. I already tried this but this not worked for my case

mStirner commented 1 year ago

Same issue

# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install nodemon@1.14.9, which is a breaking change
node_modules/nodemon/node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
  nodemon  1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of simple-update-notifier
  node_modules/nodemon
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Installed nodemon v2.0.22 and got the same security audit issue with semver. Why is semver not update from 5.7.1 to 7.5.2

fluentmoheshwar commented 1 year ago

Even though this issue got fixed! #2119 but @remy didn't publish new version in npm yet. The last version is 2.0.22 which was released 4 months ago and have this vulnerability.

remy commented 1 year ago

Actually, github hasn't published it yet, not me!

I don't know why it's stuck in a queue, but I'll look at it once the week starts as I'm keen to get the release done. Closing in lieu of that 👍