Open nodiscc opened 7 months ago
npm audit fix
done in https://github.com/shaarli/Shaarli/pull/2056
There are 2 issues remaining:
yarn.lock (yarn)
================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ glob-parent │ CVE-2020-28469 │ HIGH │ fixed │ 3.1.0 │ 5.1.2 │ Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-28469 │
├─────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ postcss │ CVE-2023-44270 │ MEDIUM │ │ 7.0.39 │ 8.4.31 │ An issue was discovered in PostCSS before 8.4.31. The │
│ │ │ │ │ │ │ vulnerability af ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44270 │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘
However these can only be fixed with npm audit fix --force
:
$ npm audit fix
npm WARN deprecated figgy-pudding@3.5.2: This module is no longer supported.
npm WARN deprecated @stylelint/postcss-markdown@0.36.2: Use the original unforked package instead: postcss-markdown
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated @stylelint/postcss-css-in-js@0.37.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
added 253 packages, removed 39 packages, changed 62 packages, and audited 928 packages in 6s
120 packages are looking for funding
run `npm fund` for details
# npm audit report
glob-parent <5.1.2
Severity: high
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install webpack@5.89.0, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.47.0
Depends on vulnerable versions of watchpack
node_modules/webpack
postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install css-loader@6.8.1, which is a breaking change
node_modules/postcss
autoprefixer 1.0.20131222 - 9.8.8
Depends on vulnerable versions of postcss
node_modules/autoprefixer
stylelint 0.1.0 - 13.13.1
Depends on vulnerable versions of autoprefixer
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-less
Depends on vulnerable versions of postcss-safe-parser
Depends on vulnerable versions of postcss-sass
Depends on vulnerable versions of postcss-scss
Depends on vulnerable versions of sugarss
node_modules/stylelint
stylelint-scss 0.0.0-alpha.1 || 1.0.0 - 3.21.0
Depends on vulnerable versions of stylelint
node_modules/stylelint-scss
css-loader 0.15.0 - 4.3.0
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-modules-extract-imports
Depends on vulnerable versions of postcss-modules-local-by-default
Depends on vulnerable versions of postcss-modules-scope
Depends on vulnerable versions of postcss-modules-values
node_modules/css-loader
icss-utils <=4.1.1
Depends on vulnerable versions of postcss
node_modules/icss-utils
postcss-modules-local-by-default <=4.0.0-rc.4
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-local-by-default
postcss-modules-values <=4.0.0-rc.5
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-values
postcss-less <=3.1.4
Depends on vulnerable versions of postcss
node_modules/postcss-less
postcss-modules-extract-imports <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-extract-imports
postcss-modules-scope <=2.2.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-scope
postcss-safe-parser <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-safe-parser
postcss-sass <=0.4.4
Depends on vulnerable versions of postcss
node_modules/postcss-sass
postcss-scss <=2.1.1
Depends on vulnerable versions of postcss
node_modules/postcss-scss
sugarss <=2.0.0
Depends on vulnerable versions of postcss
node_modules/sugarss
20 vulnerabilities (15 moderate, 5 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
But I run into dependency issues when trying to perform npm audit fix --force
:
$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating css-loader to 6.8.1, which is a SemVer major change.
npm WARN audit Updating stylelint to 16.0.2, which is a SemVer major change.
npm WARN audit Updating stylelint-scss to 6.0.0, which is a SemVer major change.
npm WARN audit Updating webpack to 5.89.0, which is a SemVer major change.
npm WARN ERESOLVE overriding peer dependency
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: shaarli@undefined
npm WARN Found: webpack@4.47.0
npm WARN node_modules/webpack
npm WARN peer webpack@"^5.0.0" from css-loader@6.8.1
npm WARN node_modules/css-loader
npm WARN dev css-loader@"6.8.1" from the root project
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer webpack@"^2.0.0 || ^3.0.0 || ^4.0.0" from file-loader@1.1.11
npm WARN node_modules/file-loader
npm WARN dev file-loader@"^1.1.6" from the root project
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: shaarli@undefined
npm WARN Found: webpack@4.47.0
npm WARN node_modules/webpack
npm WARN peer webpack@"^5.0.0" from css-loader@6.8.1
npm WARN node_modules/css-loader
npm WARN dev css-loader@"6.8.1" from the root project
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer webpack@"4.x.x" from webpack-cli@3.3.12
npm WARN node_modules/webpack-cli
npm WARN dev webpack-cli@"^3.3.12" from the root project
added 37 packages, removed 244 packages, changed 35 packages, and audited 721 packages in 5s
89 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
trivy
security scanner reports vulnerable dependencies in Shaarli'syarn.lock
https://github.com/shaarli/Shaarli/actions/runs/7077779999/job/19262500733
These vulnerable dependencies are also present in the last release (v0.13.0) which is reflected by the failed status of daily trivy scans (https://github.com/shaarli/Shaarli/actions/workflows/trivy-release.yml)![](https://github.com/shaarli/Shaarli/actions/workflows/trivy-release.yml/badge.svg)
These are basically the same vulnerabilities as those reported by github dependabot on https://github.com/shaarli/Shaarli/security/dependabot.
npm audit fix
(and a few manual tests to ensure the upgrade doesn't break anything) should fix most of these warnings. In case a dependency can't be easily updated, we should check if the reported vulnerability is effectively applicable, and if not, whitelist it.In addition we could disable Github's security advisories as these are now redundant (and a FOSS solution like trivy is preferable in my opinion - it is also easy to run it locally using
make test_trivy_repo
)