Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit returns dependency vulnerabilities #97

Open
neilcampbell opened this issue Dec 7, 2023 · 7 comments
Open

npm audit returns dependency vulnerabilities #97

neilcampbell opened this issue Dec 7, 2023 · 7 comments

Comments

@neilcampbell
Copy link

When running npm audit against the repo, the following vulnerabilities are detected.

# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios

chromedriver  <119.0.1
Severity: moderate
chromedriver Command Injection vulnerability - https://github.com/advisories/GHSA-hm92-vgmw-qfmx
fix available via `npm audit fix`
node_modules/chromedriver

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/download

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/download/node_modules/cacheable-request

undici  <5.26.2
Undici's cookie header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-wqq4-5wpv-mx2g
fix available via `npm audit fix`
node_modules/undici

7 vulnerabilities (1 low, 3 moderate, 3 high)

A couple are fixable, however the high severity ones aren't and appear to be dependencies of the download package, which appears to have been abandoned.

Is there any plans or work in progress to move away from using the download package?
@christian-bromann
Copy link
Contributor

@neilcampbell thanks for reporting. These vulnerabilities will be resolved with #94 where we remove the dependency to the download package.

@neilcampbell
Copy link
Author

neilcampbell commented Dec 8, 2023
edited
Loading

@christian-bromann Amazing stuff, thanks!

@seanpoulter
Copy link
Contributor

I took over #94 and dropped the dependency update in #105. Are we good to update all the dependencies next?

@seanpoulter seanpoulter mentioned this issue Feb 15, 2024
Merged
@christian-bromann
Copy link
Contributor

@seanpoulter let's update all dependencies if possible. We should always stay up to date!

@seanpoulter
Copy link
Contributor

Hello from Ottawa, Canada @neilcampbell. I'll second your suggestion that we want to replace download@^4. Do either of you have a preference? My suggestion would be to find out what we're using in webdriverio/webdriverio.

I'll open a PR to update undici now. We're limited to v5.x because v6 drops support for Node v16.

@seanpoulter
Copy link
Contributor

We're down to these three:

# npm audit report

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/download

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/download/node_modules/cacheable-request

pkg  *
Severity: moderate
Pkg Local Privilege Escalation - https://github.com/advisories/GHSA-22r3-9w55-cj54
No fix available
node_modules/pkg

5 vulnerabilities (2 moderate, 3 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

We've already talked about replacing download. It turns out pkg is also no longer maintained.

@christian-bromann
Copy link
Contributor

My suggestion would be to find out what we're using in webdriverio/webdriverio.

What are we doing there? If there is an easy way to replace download and pkg I am happy to explore that. That said, I am also fine to keep this ticket around in case someone wants to pick this up but I don't see these vulnerabilities being in any way relevant to the end user. This is why it had a very low priority for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@christian-bromann @neilcampbell @seanpoulter