Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T379710 npm audit fix and dependencies update #138

Merged
merged 3 commits into from
Dec 11, 2024
Merged

T379710 npm audit fix and dependencies update #138

merged 3 commits into from
Dec 11, 2024

Conversation

hueitan
Copy link
Member

@hueitan hueitan commented Nov 27, 2024
edited
Loading

Phabricator: https://phabricator.wikimedia.org/T379710

Update:

audit report after the latest version update

up to date, audited 2205 packages in 2s

327 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
Full audit report 
# npm audit report

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix`
node_modules/body-parser
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/braces
node_modules/sane/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/micromatch
  node_modules/sane/node_modules/micromatch
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/sane/node_modules/anymatch
      sane  1.5.0 - 4.1.0
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of micromatch
      node_modules/sane
        jest-haste-map  24.0.0-alpha.0 - 26.6.2
        Depends on vulnerable versions of sane
        node_modules/@wordpress/jest-preset-default/node_modules/jest-haste-map
        node_modules/@wordpress/scripts/node_modules/jest-haste-map
        node_modules/jest-jasmine2/node_modules/jest-haste-map
          @jest/core  <=26.6.3
          Depends on vulnerable versions of @jest/reporters
          Depends on vulnerable versions of @jest/transform
          Depends on vulnerable versions of jest-config
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-resolve-dependencies
          Depends on vulnerable versions of jest-runner
          Depends on vulnerable versions of jest-runtime
          Depends on vulnerable versions of jest-snapshot
          node_modules/@wordpress/scripts/node_modules/@jest/core
            jest  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/core
            Depends on vulnerable versions of jest-cli
            node_modules/@wordpress/scripts/node_modules/jest
              @wordpress/scripts  >=1.0.1-0
              Depends on vulnerable versions of @svgr/webpack
              Depends on vulnerable versions of @wordpress/jest-preset-default
              Depends on vulnerable versions of @wordpress/stylelint-config
              Depends on vulnerable versions of babel-jest
              Depends on vulnerable versions of cross-spawn
              Depends on vulnerable versions of jest
              Depends on vulnerable versions of jest-circus
              Depends on vulnerable versions of jest-dev-server
              Depends on vulnerable versions of markdownlint
              Depends on vulnerable versions of markdownlint-cli
              Depends on vulnerable versions of puppeteer-core
              Depends on vulnerable versions of stylelint
              node_modules/@wordpress/scripts
            jest-cli  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/core
            Depends on vulnerable versions of jest-config
            node_modules/@wordpress/scripts/node_modules/jest-cli
          @jest/reporters  <=26.6.2
          Depends on vulnerable versions of @jest/transform
          Depends on vulnerable versions of jest-haste-map
          node_modules/@wordpress/scripts/node_modules/@jest/reporters
          @jest/test-sequencer  <=26.6.3
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-runner
          Depends on vulnerable versions of jest-runtime
          node_modules/@wordpress/scripts/node_modules/@jest/test-sequencer
          node_modules/jest-jasmine2/node_modules/@jest/test-sequencer
            jest-config  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/test-sequencer
            Depends on vulnerable versions of babel-jest
            Depends on vulnerable versions of jest-jasmine2
            node_modules/@wordpress/scripts/node_modules/@jest/core/node_modules/jest-config
            node_modules/@wordpress/scripts/node_modules/jest-cli/node_modules/jest-config
            node_modules/@wordpress/scripts/node_modules/jest-runner/node_modules/jest-config
            node_modules/@wordpress/scripts/node_modules/jest-runtime/node_modules/jest-config
            node_modules/jest-jasmine2/node_modules/jest-config
              jest-runner  24.0.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-runtime
              node_modules/@wordpress/scripts/node_modules/jest-runner
              node_modules/jest-jasmine2/node_modules/jest-runner
                jest-circus  25.2.4 - 26.6.3
                Depends on vulnerable versions of jest-runner
                Depends on vulnerable versions of jest-runtime
                Depends on vulnerable versions of jest-snapshot
                node_modules/@wordpress/scripts/node_modules/jest-circus
              jest-runtime  24.0.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of @jest/transform
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-snapshot
              node_modules/@wordpress/scripts/node_modules/jest-runtime
              node_modules/jest-jasmine2/node_modules/jest-runtime
                jest-jasmine2  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of jest-runtime
                Depends on vulnerable versions of jest-snapshot
                node_modules/jest-jasmine2
          @jest/transform  <=26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/@wordpress/jest-preset-default/node_modules/@jest/transform
          node_modules/@wordpress/scripts/node_modules/@jest/transform
          node_modules/jest-jasmine2/node_modules/@jest/transform
            babel-jest  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/transform
            node_modules/@wordpress/jest-preset-default/node_modules/babel-jest
            node_modules/@wordpress/scripts/node_modules/babel-jest
            node_modules/jest-jasmine2/node_modules/babel-jest
              @wordpress/jest-preset-default  4.1.0 - 7.1.5-next.33ec3857e2.0
              Depends on vulnerable versions of babel-jest
              node_modules/@wordpress/jest-preset-default
          jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/@wordpress/scripts/node_modules/jest-snapshot
          node_modules/jest-jasmine2/node_modules/jest-snapshot
            jest-resolve-dependencies  26.1.0 - 26.6.3
            Depends on vulnerable versions of jest-snapshot
            node_modules/@wordpress/scripts/node_modules/jest-resolve-dependencies

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix`
node_modules/cookie

cross-spawn  <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/@pkgr/utils/node_modules/cross-spawn
node_modules/@storybook/cli/node_modules/cross-spawn
node_modules/@storybook/codemod/node_modules/cross-spawn
node_modules/@wordpress/scripts/node_modules/eslint/node_modules/cross-spawn
node_modules/@wordpress/scripts/node_modules/execa/node_modules/cross-spawn
node_modules/cross-spawn
node_modules/default-browser/node_modules/cross-spawn
node_modules/eslint/node_modules/cross-spawn
node_modules/execa/node_modules/cross-spawn
node_modules/foreground-child/node_modules/cross-spawn
node_modules/sane/node_modules/cross-spawn
node_modules/webpack-cli/node_modules/cross-spawn

dompurify  3.0.0 - 3.1.2
Severity: high
DOMPurify allows tampering by prototype pollution - https://github.com/advisories/GHSA-mmhx-hmjr-r674
DOMpurify has a nesting-based mXSS - https://github.com/advisories/GHSA-gx9m-whjm-85jf
fix available via `npm audit fix`
node_modules/dompurify

ejs  <3.1.10
Severity: moderate
ejs lacks certain pollution protection - https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
fix available via `npm audit fix`
node_modules/ejs


ip  *
Severity: high
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix`
node_modules/ip

markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/markdown-it
  markdownlint  <=0.25.0
  Depends on vulnerable versions of markdown-it
  node_modules/markdownlint
    markdownlint-cli  <=0.30.0
    Depends on vulnerable versions of markdownlint
    node_modules/markdownlint-cli


node-fetch  <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/node-fetch
  puppeteer-core  10.0.0 - 13.1.1
  Depends on vulnerable versions of node-fetch
  Depends on vulnerable versions of ws
  node_modules/puppeteer-core

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack

path-to-regexp  <=0.1.9 || 4.0.0 - 6.2.2
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix`
node_modules/express/node_modules/path-to-regexp
node_modules/path-to-regexp

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/postcss-less/node_modules/postcss
node_modules/postcss-safe-parser/node_modules/postcss
node_modules/postcss-sass/node_modules/postcss
node_modules/postcss-scss/node_modules/postcss
node_modules/stylelint/node_modules/postcss
node_modules/sugarss/node_modules/postcss
  autoprefixer  1.0.20131222 - 9.8.8
  Depends on vulnerable versions of postcss
  node_modules/stylelint/node_modules/autoprefixer
    stylelint  0.1.0 - 13.13.1
    Depends on vulnerable versions of autoprefixer
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-less
    Depends on vulnerable versions of postcss-safe-parser
    Depends on vulnerable versions of postcss-sass
    Depends on vulnerable versions of postcss-scss
    Depends on vulnerable versions of sugarss
    node_modules/stylelint
      @wordpress/stylelint-config  <=19.1.1-next.5df0cd52b7.0
      Depends on vulnerable versions of stylelint
      Depends on vulnerable versions of stylelint-config-recommended-scss
      Depends on vulnerable versions of stylelint-scss
      node_modules/@wordpress/stylelint-config
      stylelint-config-recommended  <=2.2.0 || 4.0.0 - 5.0.0
      Depends on vulnerable versions of stylelint
      node_modules/stylelint-config-recommended-scss/node_modules/stylelint-config-recommended
        stylelint-config-recommended-scss  <=4.3.0
        Depends on vulnerable versions of stylelint
        Depends on vulnerable versions of stylelint-config-recommended
        Depends on vulnerable versions of stylelint-scss
        node_modules/stylelint-config-recommended-scss
      stylelint-scss  0.0.0-alpha.1 || 1.0.0 - 3.21.0
      Depends on vulnerable versions of stylelint
      node_modules/stylelint-scss
  postcss-less  <=3.1.4
  Depends on vulnerable versions of postcss
  node_modules/postcss-less
  postcss-safe-parser  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-safe-parser
  postcss-sass  <=0.4.4
  Depends on vulnerable versions of postcss
  node_modules/postcss-sass
  postcss-scss  <=2.1.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-scss
  sugarss  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/sugarss

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/request
  wait-on  <=4.0.2
  Depends on vulnerable versions of request
  node_modules/wait-on
    jest-dev-server  4.1.1 - 4.4.0
    Depends on vulnerable versions of wait-on
    node_modules/jest-dev-server

send  <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static


tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/tough-cookie

webpack  5.0.0-alpha.0 - 5.93.0
Severity: moderate
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - https://github.com/advisories/GHSA-4vvj-4cpr-p986
fix available via `npm audit fix`
node_modules/webpack

ws  6.0.0 - 6.2.2 || 7.0.0 - 7.5.9 || 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/@storybook/cli/node_modules/ws
node_modules/jsdom/node_modules/ws
node_modules/puppeteer-core/node_modules/ws
node_modules/webpack-bundle-analyzer/node_modules/ws
node_modules/ws

60 vulnerabilities (3 low, 40 moderate, 17 high)

There is an issue when doing the npm audit fix --force, reported here WordPress/gutenberg#63771 (comment) --- add the fix commit 634a5f2 until the wordpress/script not get reverted back to 1.0.0

@hueitan hueitan marked this pull request as ready for review December 2, 2024 09:59
@hueitan
Copy link
Member Author

hueitan commented Dec 11, 2024

Good news, wordpress team has fixed the issue and we no longer need the overrides.

@hueitan hueitan merged commit dba7f40 into main Dec 11, 2024
1 check passed
@hueitan hueitan deleted the T379710-npm-audit branch December 11, 2024 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Abijeet Abijeet Abijeet approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hueitan @Abijeet