search

zadam / trilium

Build your personal knowledge base with Trilium Notes
GNU Affero General Public License v3.0
26.92k stars 1.88k forks source link

NPM Dependencies Have Multiple Vulnerabilities #2945

Open bonedaddy opened 2 years ago

bonedaddy commented 2 years ago

Trilium Version

v0.53.0-beta

What operating system are you using?

Ubuntu

What is your setup?

Server access only

Operating System Version

Ubuntu 22.04

Description

Upon installing the newest version of trilium beta, npm reported multiple vulnerabilitties

⋊> /e/t/code on 67e69f19 ⨯ npm audit                                                                                                  15:11:26
# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install electron-packager@13.1.1, which is a breaking change
node_modules/got
  @electron/get  *
  Depends on vulnerable versions of got
  node_modules/@electron/get
    electron  >=7.0.0-beta.1
    Depends on vulnerable versions of @electron/get
    node_modules/electron
      @electron/remote  >=1.0.0
      Depends on vulnerable versions of electron
      node_modules/@electron/remote
    electron-packager  >=14.0.0
    Depends on vulnerable versions of @electron/get
    node_modules/electron-packager
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        electron-builder  >=5.6.1
        Depends on vulnerable versions of update-notifier
        node_modules/electron-builder

jpeg-js  <0.4.4
Severity: high
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install jimp@0.16.0, which is a breaking change
node_modules/jpeg-js
  @jimp/jpeg  <=0.12.0 || >=0.16.1
  Depends on vulnerable versions of jpeg-js
  node_modules/@jimp/jpeg
    @jimp/types  <=0.11.1-canary.891.908.0 || >=0.16.1
    Depends on vulnerable versions of @jimp/jpeg
    node_modules/@jimp/types
      jimp  0.3.6-alpha.5 - 0.11.1-canary.891.908.0 || >=0.16.1
      Depends on vulnerable versions of @jimp/types
      node_modules/jimp
shellatomic commented 2 years ago

Regarding got <11.8.5 Severity: moderate. Unfortunately, this is not a trivial change because the got interface changed quite a bit with the new version. (And because of that you can't just work around this issue with package resolutions either...).

For jpeg-js <0.4.4 Severity: high. Check this reference https://github.com/advisories/GHSA-xvf7-4v9q-58w6

Jkudjo commented 2 years ago

same issue here

zadam commented 2 years ago

Hi, these vulnerabilities don't seem particularly relevant to Trilium - got seems to be used by electron during build time, jpeg-js allows user to DoS themselves.