search

webpack-contrib / webpack-bundle-analyzer

Webpack plugin and CLI utility that represents bundle content as convenient interactive zoomable treemap
MIT License
12.57k stars 483 forks source link

There is a vulnerability introduced by package ejs #460

Closed paimon0715 closed 3 years ago

paimon0715 commented 3 years ago

Hi, @th0r @valscion,

Issue Description

I accidentally find a vulnerability introduced in your package webpack-bundle-analyzer and the vulnerability SNYK-JS-EJS-1049328 is detected in package ejs<3.1.6. Unfortunately,webpack-bundle-analyzer@3.9.0 directly depends on ejs@2.7.4.

As far as I know, webpack-bundle-analyzer@3.9.0 is so popular that a large number of active and popular downstream projects depend on it in their latest versions (1,171,406 downloads per week and about 1,406 downstream projects, e.g., @vue/cli-service 4.5.13, @xdn/core 2.53.3, @factor/core 1.8.30, react-static 7.5.3, graphql-playground-react 1.7.27, @formily/meet-components 1.3.17, mkui-fd 3.2.21, etc.). As such, issue SNYK-JS-EJS-1049328 can be propagated into these downstream projects and expose security threats to them.

As you can see, webpack-bundle-analyzer@3.9.0 is introduced into the above projects via the following package dependency paths: (1)@formily/meet-components@1.3.17 ➔ rax-plugin-app@0.2.19 ➔ webpack-bundle-analyzer@3.9.0 ➔ ejs@2.7.4 (2)mkui-fd@3.2.21 ➔ @packtracker/webpack-plugin@2.3.0 ➔ webpack-bundle-analyzer@3.9.0 ➔ ejs@2.7.4 ...... I have konwn that it's kind of you to have removed such a vulnerability since webpack-bundle-analyzer@4.0.0-rc1. However, these projects cannot easily upgrade webpack-bundle-analyzer from version 3.9.0 to (>=4.0.0-rc1): The projects such as rax-plugin-app and @packtracker/webpack-plugin, which introduced webpack-bundle-analyzer@3.9.0, are not maintained anymore. These unmaintained packages can neither upgrade webpack-bundle-analyzer nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from webpack-bundle-analyzer@3.9.0?

Suggested Solution

As you know, since these inactive projects set a version constaint 3.9.* for webpack-bundle-analyzer on the above vulnerable dependency paths, if webpack-bundle-analyzer removes the vulnerability from 3.9.0 and releases a new patched version webpack-bundle-analyzer@3.9.1, such a vulnerability patch can be automatically propagated into the 1,406 affected downstream projects.

Maybe the simplest way to remove the vulnerability is to perform the following upgrade in webpack-bundle-analyzer@3.9.1: ejs ^2.6.1 ➔ ^3.1.6;
Note: ejs@3.1.6(>=3.1.6) has fixed the vulnerability (SNYK-JS-EJS-1049328). Of course, you are welcome to share your idea with me.^_^

Thank you for your help.

valscion commented 3 years ago

webpack-bundle-analyzer is a development-only tool so this vulnerability report does not concern us.

We will update the dependencies on our own pace and at that time, this issue will also be fixed.

This is a similar issue as written here: https://overreacted.io/npm-audit-broken-by-design/