search

theia-ide / theia-apps

Theia applications examples - docker images, desktop apps, packagings
Apache License 2.0
1.04k stars 344 forks source link

How to respond to reported vulnerabilities in dependencies? #476

Closed michalc closed 2 years ago

michalc commented 3 years ago

In a Theia-based-project, is there a suggested process for bumping dependencies that have reported vulnerabilities?

In mine, GitHub tells me about vulnerabilities in yarn.lock file (or can do it manually by a yarn audit). However, they're in transitive dependencies, and they seem to rarely allow bumping to a version that doesn't have the vulnerability. The only way I seem to be able to bump them is to force them using resolutions, and then hoping for the best.

So far, my resolutions in package.json looks like:

    "resolutions": {
      "**/axios": "^0.21.1",
      "**/debug": "^4.3.1",
      "**/is-svg": "^4.3.1",
      "**/js-yaml": "^3.14.1",
      "**/postcss": "^8.2.10",
      "**/sanitize-html": "^2.3.3",
      "**/ssri": "^8.0.1",
      "**/underscore": "^1.13.1",
      "**/y18n": "^5.0.8",
      "**/yargs-parser": "^20.2.7"
    },

I'm a bit nervous since it's forcing dependencies to use packages that they aren't specified to be compatible with.

Is there anything better that can be done?

marcdumais-work commented 3 years ago

Hi @michalc ,

This may be a question of interest for the upstream repo/project: https://github.com/eclipse-theia/theia/issues

AFAIK, using resolutions is indeed sometimes the only way to momentarily get rid of a specific, unwanted version of a transitive dependency. Then one hopes that the whole dependency chain will adapt, slowly expunging the vulnerable version of the package, so we can pick-up a better version by updating the 1st level dependency, that ends-up pulling the faulty package.

The yarn.lock for your product, do you sometimes update it, so that you'll give yarn the chance to look for compatible, later version of the packages currently in use? I think using yarn upgrade is the way this is usually done. If you do not do that, it may be pinning older dependencies than what you'd otherwise have.

It's also possible that in some cases, some requested version or version ranges, in eclipse-theia itself, are too narrow and would need updating. In such a case, it's better to let us know so we can fix it, optionally you can submit a PR yourself.

stale[bot] commented 3 years ago

This contribution has been automatically marked as stale due to inactivity, and it will be closed if no further activity occurs. Thank you for contributing to Theia!