search

webdriverio-community / wdio-vscode-service

A service to test VSCode extensions from end to end using WebdriverIO
https://webdriverio-community.github.io/wdio-vscode-service/
MIT License
35 stars 28 forks source link

npm audit returns dependency vulnerabilities #97

Open neilcampbell opened 11 months ago

neilcampbell commented 11 months ago

When running npm audit against the repo, the following vulnerabilities are detected.

# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios

chromedriver  <119.0.1
Severity: moderate
chromedriver Command Injection vulnerability - https://github.com/advisories/GHSA-hm92-vgmw-qfmx
fix available via `npm audit fix`
node_modules/chromedriver

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/download

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/download/node_modules/cacheable-request

undici  <5.26.2
Undici's cookie header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-wqq4-5wpv-mx2g
fix available via `npm audit fix`
node_modules/undici

7 vulnerabilities (1 low, 3 moderate, 3 high)

A couple are fixable, however the high severity ones aren't and appear to be dependencies of the download package, which appears to have been abandoned.

Is there any plans or work in progress to move away from using the download package?

christian-bromann commented 11 months ago

@neilcampbell thanks for reporting. These vulnerabilities will be resolved with #94 where we remove the dependency to the download package.

neilcampbell commented 11 months ago

@christian-bromann Amazing stuff, thanks!

seanpoulter commented 9 months ago

I took over #94 and dropped the dependency update in #105. Are we good to update all the dependencies next?

christian-bromann commented 9 months ago

@seanpoulter let's update all dependencies if possible. We should always stay up to date!

seanpoulter commented 9 months ago

Hello from Ottawa, Canada @neilcampbell. I'll second your suggestion that we want to replace download@^4. Do either of you have a preference? My suggestion would be to find out what we're using in webdriverio/webdriverio.

I'll open a PR to update undici now. We're limited to v5.x because v6 drops support for Node v16.

seanpoulter commented 9 months ago

We're down to these three:

# npm audit report

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/download

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/download/node_modules/cacheable-request

pkg  *
Severity: moderate
Pkg Local Privilege Escalation - https://github.com/advisories/GHSA-22r3-9w55-cj54
No fix available
node_modules/pkg

5 vulnerabilities (2 moderate, 3 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

We've already talked about replacing download. It turns out pkg is also no longer maintained.

christian-bromann commented 9 months ago

My suggestion would be to find out what we're using in webdriverio/webdriverio.

What are we doing there? If there is an easy way to replace download and pkg I am happy to explore that. That said, I am also fine to keep this ticket around in case someone wants to pick this up but I don't see these vulnerabilities being in any way relevant to the end user. This is why it had a very low priority for me.