search

sveltejs / sapper

The next small thing in web development, powered by Svelte
https://sapper.svelte.dev
MIT License
7.01k stars 435 forks source link

npm audit fix incorrectly returns a critical vulnerability #1728

Closed mikeoptics closed 3 years ago

mikeoptics commented 3 years ago

Describe the bug npm reports a critical advisory for sapper for 0.27.11 even though I have the latest version. npm audit fix does not resolve it.

What I have tried Verifying the cache npm cache verify running npm ci removing sapper and reinstalling it.

Logs

admin@admins-MBP sapper % npm audit            
# npm audit report

sapper  <0.27.11
Severity: critical
Path Traversal - https://npmjs.com/advisories/1494
fix available via `npm audit fix`

1 critical severity vulnerability

To address all issues, run:
  npm audit fix
admin@admins-MBP sapper % npm audit fix        

up to date, audited 969 packages in 1s

84 packages are looking for funding
  run `npm fund` for details

# npm audit report

sapper  <0.27.11
Severity: critical
Path Traversal - https://npmjs.com/advisories/1494
fix available via `npm audit fix`

1 critical severity vulnerability

To address all issues, run:
  npm audit fix
admin@admins-MBP sapper % npm audit fix --force --verbose
npm verb cli [
npm verb cli   '/opt/homebrew/Cellar/node/15.10.0/bin/node',
npm verb cli   '/opt/homebrew/bin/npm',
npm verb cli   'audit',
npm verb cli   'fix',
npm verb cli   '--force',
npm verb cli   '--verbose'
npm verb cli ]
npm info using npm@7.6.0
npm info using node@v15.10.0
npm timing config:load:defaults Completed in 0ms
npm timing config:load:file:/opt/homebrew/lib/node_modules/npm/npmrc Completed in 1ms
npm timing config:load:builtin Completed in 1ms
npm timing config:load:cli Completed in 1ms
npm timing config:load:env Completed in 0ms
npm timing config:load:file:/Users/admin/Documents/lantern/sapper/.npmrc Completed in 0ms
npm timing config:load:project Completed in 0ms
npm timing config:load:file:/Users/admin/.npmrc Completed in 0ms
npm timing config:load:user Completed in 0ms
npm timing config:load:file:/opt/homebrew/etc/npmrc Completed in 0ms
npm timing config:load:global Completed in 0ms
npm timing config:load:cafile Completed in 0ms
npm timing config:load:validate Completed in 0ms
npm timing config:load:setUserAgent Completed in 1ms
npm timing config:load:setEnvs Completed in 0ms
npm timing config:load Completed in 3ms
npm WARN using --force Recommended protections disabled.
npm verb npm-session 9aa693866d2b2d6b
npm timing npm:load Completed in 10ms
npm timing arborist:ctor Completed in 1ms
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 399ms
npm timing auditReport:getReport Completed in 401ms
npm timing metavuln:cache:get:security-advisory:sapper:Z6Zpd8B0nY9xMHK+foC2MDb7mCj3sf7E849qz9d4pJ9IRqS+dFM6mqua2MJd4VNx2kdrM/MBDrsIr1Ll+y8zKA== Completed in 9ms
npm http fetch GET 304 https://registry.npmjs.org/sapper 80ms (from cache)
npm timing metavuln:packument:sapper Completed in 84ms
npm timing metavuln:load:security-advisory:sapper:1494 Completed in 1ms
npm timing metavuln:calculate:security-advisory:sapper:1494 Completed in 88ms
npm timing auditReport:init Completed in 88ms
npm timing audit Completed in 634ms
npm timing idealTree:init Completed in 1ms
npm timing idealTree:userRequests Completed in 0ms
npm timing idealTree:#root Completed in 0ms
npm timing idealTree:buildDeps Completed in 1ms
npm timing idealTree:fixDepFlags Completed in 0ms
npm timing idealTree Completed in 3ms
npm timing arborist:ctor Completed in 0ms
npm timing reify:loadTrees Completed in 124ms
npm timing reify:diffTrees Completed in 6ms
npm timing reify:retireShallow Completed in 0ms
npm timing reify:createSparse Completed in 0ms
npm timing reify:loadBundles Completed in 0ms
npm timing reify:unpack Completed in 0ms
npm timing reify:unretire Completed in 0ms
npm timing build:queue Completed in 0ms
npm timing build:deps Completed in 0ms
npm timing build Completed in 1ms
npm timing reify:build Completed in 1ms
npm timing reify:trash Completed in 0ms
npm timing reify:save Completed in 42ms
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 384ms
npm timing auditReport:getReport Completed in 386ms
npm timing metavuln:packument:sapper Completed in 0ms
npm timing metavuln:cache:get:security-advisory:sapper:Z6Zpd8B0nY9xMHK+foC2MDb7mCj3sf7E849qz9d4pJ9IRqS+dFM6mqua2MJd4VNx2kdrM/MBDrsIr1Ll+y8zKA== Completed in 2ms
npm timing metavuln:load:security-advisory:sapper:1494 Completed in 2ms
npm timing metavuln:calculate:security-advisory:sapper:1494 Completed in 4ms
npm timing auditReport:init Completed in 4ms
npm timing reify:audit Completed in 390ms
npm timing reify Completed in 523ms

up to date, audited 969 packages in 1s

84 packages are looking for funding
  run `npm fund` for details

# npm audit report

sapper  <0.27.11
Severity: critical
Path Traversal - https://npmjs.com/advisories/1494
fix available via `npm audit fix`

1 critical severity vulnerability

To address all issues, run:
  npm audit fix
npm timing command:audit Completed in 1168ms
npm verb exit 0
npm timing npm Completed in 1245ms
npm info ok 
admin@admins-MBP sapper %

To Reproduce run npm audit fix

Expected behavior It should fix it.

Information about your Sapper Installation:

 System:
    OS: macOS 11.2.1
    CPU: (8) arm64 Apple M1
    Memory: 199.97 MB / 16.00 GB
    Shell: 5.8 - /bin/zsh
  Binaries:
    Node: 15.10.0 - /opt/homebrew/bin/node
    Yarn: 1.22.10 - /opt/homebrew/bin/yarn
    npm: 7.6.0 - /opt/homebrew/bin/npm
  Browsers:
    Safari: 14.0.3
  npmPackages:
    rollup: ^2.3.4 => 2.40.0 
    sapper: ^0.29.1 => 0.29.1 
    svelte: ^3.17.3 => 3.34.0

Severity I honestly don't know. It says it's a critical vulnerability in npm but I'm sure it's more of an error in recognising it is up to date.

Additional context Notice how there is a 304 error in the logs? Maybe that's something to do with it? Perhaps the package.json will help?

admin@admins-MBP sapper % cat package.json
{
  "name": "lanternpms",
  "description": "A Better PMS",
  "version": "0.0.1",
  "private": true,
  "scripts": {
    "dev": "sapper dev",
    "build": "sapper build",
    "export": "sapper export",
    "start": "node __sapper__/build"
  },
  "dependencies": {
    "axios": "^0.21.1",
    "compression": "^1.7.1",
    "cookie-parser": "^1.4.5",
    "js-cookie": "^2.2.1",
    "polka": "next",
    "sirv": "^1.0.0",
    "sqreen": "^1.61.0",
    "twilio-video": "^2.11.0"
  },
  "devDependencies": {
    "@babel/core": "^7.0.0",
    "@babel/plugin-syntax-dynamic-import": "^7.0.0",
    "@babel/plugin-transform-runtime": "^7.0.0",
    "@babel/preset-env": "^7.0.0",
    "@babel/runtime": "^7.0.0",
    "@rollup/plugin-babel": "^5.0.0",
    "@rollup/plugin-commonjs": "^14.0.0",
    "@rollup/plugin-json": "^4.1.0",
    "@rollup/plugin-node-resolve": "^8.0.0",
    "@rollup/plugin-replace": "^2.2.0",
    "autoprefixer": "*",
    "cssnano": "*",
    "postcss": "*",
    "postcss-import": "*",
    "postcss-load-config": "*",
    "postcss-nested": "*",
    "postcss-preset-env": "*",
    "rollup": "^2.3.4",
    "rollup-plugin-svelte": "^6.0.0",
    "rollup-plugin-terser": "^7.0.0",
    "sapper": "^0.29.1",
    "stylelint": "^13.11.0",
    "stylelint-config-standard": "^20.0.0",
    "svelte": "^3.17.3",
    "svelte-preprocess": "^4.2.1",
    "tailwindcss": "*"
  },
  "author": {
    "name": "Mike Parker"
  },
  "license": "NONE"
}
mikeoptics commented 3 years ago

I removed npm via homebrew and reinstalled the LTS version via the official route. Issue is still present.

Conduitry commented 3 years ago

This isn't something that we can do anything about or that we have any visibility into. There was indeed a vulnerability that folks at npm reported to us last year, that we then fixed. If npm isn't correctly noticing what version of Sapper you have, that's not something that can be fixed in Sapper.