Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies security audit #368

Open
michaelrambeau opened this issue Jan 20, 2023 · 2 comments
Open

Dependencies security audit #368

michaelrambeau opened this issue Jan 20, 2023 · 2 comments

Comments

@michaelrambeau
Copy link
Contributor

michaelrambeau commented Jan 20, 2023
edited
Loading

A lot of dependencies used by @uxpin/merge-cli are either deprecated, out-of-date or considered as vulnerable.

It leads to a lot of warning messages when installing the tool on a computer.

The purpose of this issue is to take a snapshot of the situation and to track the progress of the cleanup actions.

First audit • 2023-01-20

yarn audit

287 vulnerabilities found - Packages audited: 2554
Severity: 9 Low | 27 Moderate | 189 High | 62 Critical

Only production deps:

98 vulnerabilities found - Packages audited: 952
Severity: 11 Moderate | 62 High | 25 Critical

Using Snyk.io

Running snyk test command against 2.11.0:

Tested 741 dependencies for known issues, found 27 issues, 294 vulnerable paths.

Issues to fix by upgrading:

  Upgrade [email protected] to [email protected] to fix
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] and 1 other path(s)

  Upgrade [email protected] to [email protected] to fix
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SSRI-1246392] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected]


Patchable issues:

  Patch available for [email protected]
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/npm:extend:20180424] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] and 1 other path(s)

  Patch available for [email protected]
  ✗ Prototype Pollution [Medium Severity][https://security.snyk.io/vuln/npm:hoek:20180212] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] and 3 other path(s)

  Patch available for [email protected]
  ✗ Uninitialized Memory Exposure [Medium Severity][https://security.snyk.io/vuln/npm:stringstream:20180511] in [email protected]
    introduced by [email protected] > [email protected] > [email protected]


Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-AJV-584908] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] and 3 other path(s)
  This issue was fixed in versions: 6.12.3
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 2 other path(s)
  This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-ASYNC-2441827] in [email protected]
    introduced by [email protected] > [email protected]
  This issue was fixed in versions: 2.6.4, 3.2.2
  ✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-DECOMPRESSZIP-73598] in [email protected]
    introduced by [email protected] > [email protected]
  This issue was fixed in versions: 0.2.2, 0.3.2
  ✗ Exposure of Resource to Wrong Sphere [Low Severity][https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 1.2.11
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-HAWK-2808852] in [email protected]
    introduced by [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 9.0.1
  ✗ Prototype Pollution [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-JSON5-3182856] in [email protected]
    introduced by @babel/[email protected] > [email protected] and 1 other path(s)
  This issue was fixed in versions: 1.0.2, 2.2.2
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 0.4.0
  ✗ Validation Bypass [Low Severity][https://security.snyk.io/vuln/SNYK-JS-KINDOF-537849] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] and 156 other path(s)
  This issue was fixed in versions: 6.0.3
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-3050818] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] and 2 other path(s)
  This issue was fixed in versions: 3.0.5
  ✗ Prototype Pollution [Low Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] and 6 other path(s)
  This issue was fixed in versions: 0.2.4, 1.2.6
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-MIXINDEEP-450212] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 15 other path(s)
  This issue was fixed in versions: 2.0.1, 1.3.2
  ✗ Prototype Poisoning [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-3153490] in [email protected]
    introduced by [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
  ✗ Server-side Request Forgery (SSRF) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-REQUEST-3361831] in [email protected]
    introduced by [email protected] > [email protected]
  No upgrade or patch available
  ✗ Cross-site Scripting (XSS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840] in [email protected]
    introduced by [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 2.1.1
  ✗ Arbitrary Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062] in [email protected]
    introduced by [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 3.1.0
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-SETVALUE-1540541] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 31 other path(s)
  This issue was fixed in versions: 4.0.1, 2.0.1
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-SETVALUE-450213] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 31 other path(s)
  This issue was fixed in versions: 2.0.1, 3.0.1
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TRIM-1017038] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 0.0.3
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 15 other path(s)
  This issue was fixed in versions: 2.0.1
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-Y18N-1021887] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 3.2.2, 4.0.1, 5.0.5
  ✗ Insecure Randomness [Medium Severity][https://security.snyk.io/vuln/npm:cryptiles:20180710] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 3.1.3, 4.1.2
@michaelrambeau michaelrambeau self-assigned this Jan 26, 2023
@michaelrambeau
Copy link
Contributor Author

michaelrambeau commented May 22, 2023
edited
Loading

After v3.0.2 release (2023-05-15)

The version 3.0.2 should solve some issues as a deprecated dependency (request) was removed (details: #373 )

Output of yarn audit:

95 vulnerabilities found - Packages audited: 2175
Severity: 3 Low | 10 Moderate | 65 High | 17 Critical
versions 3.0.1 3.0.2
Low 9 3 (-6)
Moderate 27 10 (-17)
High 189 65 (-124)
Critical 62 17 (-45)
Total 287 95 (-192)

@michaelrambeau michaelrambeau mentioned this issue May 22, 2023
Merged
@michaelrambeau
Copy link
Contributor Author

michaelrambeau commented May 22, 2023
edited
Loading

After v3.0.3 release (2023-05-22)

The version 3.0.2 should solve some issues as a deprecated dependency (request) was removed (details: #373 )

Output of yarn audit

34 vulnerabilities found - Packages audited: 1306
Severity: 6 Moderate | 28 High
Vulnerabilities Low Moderate High Critical Total
2.7.10 9 44 230 68 351
2.8.2 9 43 232 69 353
3.0.0 3 25 153 56 237
3.0.2 3 10 65 17 95
3.0.3 0 6 38 0 43

Output of snyk test

Tested 460 dependencies for known issues, found 4 issues, 4 vulnerable paths.


Patchable issues:

  Patch available for [email protected]
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/npm:extend:20180424] in [email protected]
    introduced by @textlint/[email protected] > [email protected] > [email protected]


Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-ASYNC-2441827] in [email protected]
    introduced by [email protected] > [email protected]
  This issue was fixed in versions: 2.6.4, 3.2.2
  ✗ Prototype Pollution [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-JSON5-3182856] in [email protected]
    introduced by [email protected] > @babel/[email protected] > [email protected]
  This issue was fixed in versions: 1.0.2, 2.2.2
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-3050818] in [email protected]
    introduced by [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 3.0.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@michaelrambeau