uswds / uswds-compile

Simple Gulp 5 functions for copying USWDS static assets and transforming USWDS Sass into browser-readable CSS.
Other
20 stars 13 forks source link

USWDS-Compile - Bug: gulp vulnerability #48

Closed jeran-urban closed 11 months ago

jeran-urban commented 2 years ago

Special Note

In digging into this deeper, this appears to be an issue with Gulp, instead of this repo as uswds is on the latest version of gulp and all of the dependency issues reside with gulp 4.0.2. Uswds will need to be upgraded once Gulp fixes its issues

Describe the bug

The issue I am seeing is that USWDS-Compile relies on a version of Gulp that has a transitive dependency with a valid vulnerability:

https://security.snyk.io/package/npm/glob-parent

# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/chokidar/node_modules/glob-parent
node_modules/glob-stream/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    glob-watcher  >=3.0.0
    Depends on vulnerable versions of chokidar
    node_modules/glob-watcher
      gulp  >=4.0.0
      Depends on vulnerable versions of glob-watcher
      node_modules/gulp
        @uswds/compile  *
        Depends on vulnerable versions of gulp
        node_modules/@uswds/compile
  glob-stream  5.3.0 - 6.1.0
  Depends on vulnerable versions of glob-parent
  node_modules/glob-stream
    vinyl-fs  >=2.4.2
    Depends on vulnerable versions of glob-stream
    node_modules/vinyl-fs

7 high severity vulnerabilities
~\web>npm ls glob-parent
~\web
+-- @uswds/compile@1.0.0-beta.3
| `-- gulp@4.0.2
|   +-- glob-watcher@5.0.5
|   | `-- chokidar@2.1.8
|   |   `-- glob-parent@3.1.0
|   `-- vinyl-fs@3.0.3
|     `-- glob-stream@6.1.0
|       `-- glob-parent@3.1.0

this version of gulp also has a transitive dependency vulnerability for yargs-parser:

+-- @uswds/compile@1.0.0-beta.3
| +-- gulp-replace@1.1.3
| | `-- yargs-parser@21.1.1
| `-- gulp@4.0.2
|   `-- gulp-cli@2.3.0
|     `-- yargs@7.1.2
|       `-- yargs-parser@5.0.1

Steps to reproduce the bug

run npm install uswds-compile run npm audit

Expected Behavior

there should be no errors, would it be possible to upgrade the gulp dependency to a version that is not affected by this?

Related code

No response

Screenshots

No response

System setup

No response

Additional context

No response

Code of Conduct

jeran-urban commented 2 years ago

for now I am using an override in my package.json file:

"overrides": {
    "glob-parent":"^5.1.2"
  },

This is working, but still evaluating if there are any repercussions using this workaround as this project does use glob strings in the gulp configuration

mejiaj commented 1 year ago

Reported from Snyk as of 03/26/23

Issues with no direct upgrade or patch:
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@2.1.1
    introduced by @uswds/compile@1.0.0 > gulp@4.0.2 > gulp-cli@2.3.0 > yargs@7.1.2 > string-width@1.0.2 > strip-ansi@3.0.1 > ansi-regex@2.1.1 and 4 other path(s)
  This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0
    introduced by @uswds/compile@1.0.0 > gulp@4.0.2 > glob-watcher@5.0.5 > chokidar@2.1.8 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 30 other path(s)
  This issue was fixed in versions: 2.0.1