[High Security Vulnerability] due to outdated figma-api-exporter

storybookjs / icons

Library of icons used in apps and marketing sites

MIT License

10 stars 3 forks source link

[High Security Vulnerability] due to outdated figma-api-exporter #15

Open pedroresende opened 1 year ago

pedroresende commented 1 year ago

Describe the bug

You're using and outdated version of figma-api-exporter, which has a high security vulnerability because it's using axios

Steps to reproduce the behavior

npm outdated

silverwind commented 1 year ago

There are a number of deprecations coming from this module:

npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility

npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.

npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410

silverwind commented 1 year ago

Dependency chains for the three deprecations:

└─┬ @storybook/blocks@7.2.1
  └─┬ @storybook/components@7.2.1
    └─┬ @storybook/icons@1.1.2
      └─┬ @svgr/plugin-svgo@5.5.0
        └── svgo@1.3.2

└─┬ @storybook/blocks@7.2.1
  └─┬ @storybook/components@7.2.1
    └─┬ @storybook/icons@1.1.2
      ├── axios@1.4.0
      └─┬ figma-api-exporter@0.0.2
        ├── axios@0.19.2
        └─┬ figma-js@1.16.0
          └── axios@0.21.4

└─┬ @storybook/blocks@7.2.1
  └─┬ @storybook/components@7.2.1
    └─┬ @storybook/icons@1.1.2
      └─┬ @svgr/plugin-svgo@5.5.0
        └─┬ svgo@1.3.2
          └── stable@0.1.8

cdedreuille commented 1 year ago

Thanks a lot for looking into it @pedroresende @silverwind. The icon library doesn't have any dependencies. We only use these libraries locally to generate the icons from Figma. But I agree that we should take the time to fix it. The generator is not built with ESM and I'm not an expert of that. To update all libraries I believe we should fix this all together.

silverwind commented 1 year ago

I see that https://github.com/storybookjs/icons/commit/d2f8113c08f1a6e596ea3a220f38b80a4cae33db moved all dependencies to devDependencies, so they will no longer install with 1.1.3 or above and this issue is resolved for users of the module. Developers may theoretically still be vulnerable, though.

cdedreuille commented 1 year ago

Yes you're right @silverwind. I'll keep this issue open as this is still something I would love to resolve. I tried to convert our generator to ESM and updating all packages at the same time but I couldn't work everything out just yet.

ekilah commented 11 months ago

I opened https://github.com/slawomirkolodziej/figma-api-exporter/issues/10 over there at the otherpackage to ask about the changes between 0.0.2 and 1.0.0 for what it's worth