Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm audit - moderate vulnerabilities in deep json-schema dependency #434

Open
perry-mitchell opened this issue Nov 22, 2021 · 4 comments · May be fixed by #444
Open

npm audit - moderate vulnerabilities in deep json-schema dependency #434

perry-mitchell opened this issue Nov 22, 2021 · 4 comments · May be fixed by #444

Comments

@perry-mitchell
Copy link

Getting a handful of vulnerability warnings with this package when running npm audit on the latest version:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > node-gyp > request >           │
│               │ http-signature > jsprim > json-schema                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > @npmcli/run-script > node-gyp  │
│               │ > request > http-signature > jsprim > json-schema            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > pacote > @npmcli/run-script >  │
│               │ node-gyp > request > http-signature > jsprim > json-schema   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > @npmcli/arborist > pacote >    │
│               │ @npmcli/run-script > node-gyp > request > http-signature >   │
│               │ jsprim > json-schema                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > @npmcli/arborist >             │
│               │ @npmcli/metavuln-calculator > pacote > @npmcli/run-script >  │
│               │ node-gyp > request > http-signature > jsprim > json-schema   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > libnpmexec > @npmcli/arborist  │
│               │ > @npmcli/metavuln-calculator > pacote > @npmcli/run-script  │
│               │ > node-gyp > request > http-signature > jsprim > json-schema │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

With no clear way to fix this.

antongolub added a commit to antongolub-forks/semantic-release-npm that referenced this issue Dec 22, 2021
@antongolub antongolub linked a pull request Dec 22, 2021 that will close this issue
@antongolub
Copy link
Contributor

antongolub commented Dec 22, 2021

cc @travi , @gr2m

Suggestion: remove npm dependency. I still believe that the plugin always invokes global npm, so this dependency is completely useless.

Have a look:

const result = execa(

npm is called via execa. It is just a wrapper for child_process.exec by default. cp uses $PATH to find util ref, and it knows absolutely nothing about node_modules/.bin/npm.

git clone ... && npm i
npm -v
6.14.13

node -e "console.log(require('execa').sync('npm', ['-v']).stdout)"
6.14.13

node -e "console.log(require('./node_modules/npm/package.json').version)"
7.24.2

if we want execa to call the plugins's own npm version, we should pass preferlocal option.

node -e "console.log(require('execa').sync('npm', ['-v'], {preferLocal: true}).stdout)"
7.24.2

@gr2m
Copy link
Member

gr2m commented Dec 23, 2021

We had this discussion before, I think more than once. I don't have the time to dig it out.

It would be good if we could document the reasoning so that the same discussion doesn't pop up again

@antongolub
Copy link
Contributor

antongolub commented Dec 23, 2021

@gr2m, @travi,

from [email protected], preferLocal is set to false by default. The plugin uses ^5.0.0 now.

I have some time to dig )
#177, 2 Jul 2019, execa 1.0.0 → 2.0.2

https://github.com/sindresorhus/execa/releases/tag/v2.0.0
sindresorhus/execa#314
sindresorhus/execa@eb22ff7

@kf6kjg
Copy link

kf6kjg commented Feb 7, 2023

They've gone from moderate to high. The following is after a fresh checkout of master.

$ npm ci
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: https://about.codecov.io/blog/codecov-uploader-deprecation-plan/
npm WARN deprecated [email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

added 1169 packages, and audited 1380 packages in 41s

215 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (5 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

$ npm outdated
Package          Current  Wanted  Latest  Location                      Depended by
aggregate-error    3.1.0   3.1.0   4.0.1  node_modules/aggregate-error  npm
ava                5.1.0   5.1.0   5.2.0  node_modules/ava              npm
execa              5.1.1   5.1.1   6.1.0  node_modules/execa            npm
got               11.8.6  11.8.6  12.5.3  node_modules/got              npm
normalize-url      6.1.0   6.1.0   8.0.0  node_modules/normalize-url    npm
npm               8.19.3  8.19.3   9.4.1  node_modules/npm              npm
p-retry            4.6.2   4.6.2   5.1.2  node_modules/p-retry          npm
read-pkg           5.2.0   5.2.0   7.1.0  node_modules/read-pkg         npm
tempy              1.0.1   1.0.1   3.0.0  node_modules/tempy            npm
xo                0.36.1  0.36.1  0.53.1  node_modules/xo               npm

$ npm audit
# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xo/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/xo/node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/xo/node_modules/globby
      xo  0.4.0 - 0.41.0
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of update-notifier
      node_modules/xo

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

http-cache-semantics  <4.1.1
Severity: moderate
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/npm/node_modules/http-cache-semantics

9 vulnerabilities (5 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants