Feature request : Bump Electron to 25 possible, if so, how hard ?
AkechiShiro opened this issue · comments
Is your feature request related to a problem? Please describe.
I'm not sure why is Bloodhound stuck on using Electron 11, the Electron code isn't receiving much updates anymore since a while, there are only more feature or updated queries that I see in recent commits.
Describe the solution you'd like
How hard is it to move up to Electron 25, the current codebase, I have no idea if that is possible or if that would require an enormous effort (lots of deprecated features are used maybe)
Describe alternatives you've considered
I tried looking for another tool like BloodHound but actively maintained but didn't find a very close/similar tool open source.
Additional context
I'm concerned about the actual codebase and the security of the tool, npm audit shows 38 vulnerabilities (I'm aware most vulnerabilities are not as critical as it sound, since BloodHound isn't used to browse online but is used to browse a local Neo4j server with user controlled data input).
> npm audit
# npm audit report
decode-uri-component <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component
electron <=21.4.4
Severity: moderate
Depends on vulnerable versions of @electron/get
AutoUpdater module fails to validate certain nested components of the bundle - https://github.com/advisories/GHSA-77xc-hjv8-ww97
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled - https://github.com/advisories/GHSA-mq8j-3h7h-p8g7
Exfiltration of hashed SMB credentials on Windows via file:// redirect - https://github.com/advisories/GHSA-p2jh-44qj-pf2v
Renderers can obtain access to random bluetooth device without permission in Electron - https://github.com/advisories/GHSA-3p22-ghq8-v749
fix available via `npm audit fix --force`
Will install electron@25.3.1, which is a breaking change
node_modules/electron
fsevents 1.0.0 - 1.2.10
Severity: critical
Malware in fsevents - https://github.com/advisories/GHSA-xv2f-5jw4-v95m
fix available via `npm audit fix`
node_modules/fsevents
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install webpack@5.88.2, which is a breaking change
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install electron@25.3.1, which is a breaking change
node_modules/got
@electron/get <=1.14.1
Depends on vulnerable versions of got
node_modules/@electron/get
electron-packager 14.0.0 - 15.5.2
Depends on vulnerable versions of @electron/get
node_modules/electron-packager
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/http-cache-semantics
ini <1.3.6
Severity: high
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse - https://github.com/advisories/GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/fsevents/node_modules/ini
json5 <1.0.2 || >=2.0.0 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5
node_modules/loader-utils/node_modules/json5
node_modules/webpack-cli/node_modules/json5
jszip <=3.7.1
Severity: high
Prototype Pollution - https://github.com/advisories/GHSA-jg8v-48h5-wgxg
JSZip contains Path Traversal via loadAsync - https://github.com/advisories/GHSA-36fh-84j7-cv5h
No fix available
node_modules/jszip
xlsx *
Depends on vulnerable versions of jszip
node_modules/xlsx
linkurious *
Depends on vulnerable versions of dagre
Depends on vulnerable versions of xlsx
node_modules/linkurious
loader-utils <=1.4.1 || 2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
fix available via `npm audit fix`
node_modules/babel-loader/node_modules/loader-utils
node_modules/loader-utils
node_modules/style-loader/node_modules/loader-utils
node_modules/webpack-cli/node_modules/loader-utils
lodash <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/linkurious/node_modules/lodash
dagre 0.5.0 - 0.7.4
Depends on vulnerable versions of graphlib
Depends on vulnerable versions of lodash
node_modules/linkurious/node_modules/dagre
graphlib 0.8.0 - 2.1.0
Depends on vulnerable versions of lodash
node_modules/linkurious/node_modules/graphlib
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/fsevents/node_modules/minimatch
minimist <=0.2.3 || 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/fsevents/node_modules/minimist
node_modules/fsevents/node_modules/rc/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/fsevents/node_modules/mkdirp
node-fetch <=2.6.6
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
fix available via `npm audit fix --force`
Will install react-images@0.6.7, which is a breaking change
node_modules/node-fetch
isomorphic-fetch 2.0.0 - 2.2.1
Depends on vulnerable versions of node-fetch
node_modules/isomorphic-fetch
fbjs 0.7.0 - 1.0.0
Depends on vulnerable versions of isomorphic-fetch
node_modules/fbjs
glam >=5.0.1
Depends on vulnerable versions of fbjs
node_modules/glam
react-images >=1.0.0-alpha.1
Depends on vulnerable versions of glam
node_modules/react-images
qs 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/body-parser/node_modules/qs
node_modules/express/node_modules/qs
body-parser 1.19.0
Depends on vulnerable versions of qs
node_modules/body-parser
express 4.17.0 - 4.17.1 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
node_modules/express
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@babel/cli/node_modules/semver
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@babel/helper-define-polyfill-provider/node_modules/semver
node_modules/@babel/preset-env/node_modules/semver
node_modules/@babel/register/node_modules/semver
node_modules/@electron/get/node_modules/semver
node_modules/babel-loader/node_modules/semver
node_modules/babel-plugin-polyfill-corejs2/node_modules/semver
node_modules/core-js-compat/node_modules/semver
node_modules/cross-spawn/node_modules/semver
node_modules/css-loader/node_modules/semver
node_modules/eslint-plugin-react/node_modules/semver
node_modules/find-cache-dir/node_modules/semver
node_modules/fsevents/node_modules/semver
node_modules/node-environment-flags/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/semver
core-js-compat 3.6.0 - 3.25.0
Depends on vulnerable versions of semver
node_modules/core-js-compat
tar <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p
fix available via `npm audit fix`
node_modules/fsevents/node_modules/tar
terser <4.8.1
Severity: high
Terser insecure use of regular expressions leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix`
node_modules/terser
ua-parser-js <0.7.33
Severity: high
ReDoS Vulnerability in ua-parser-js version - https://github.com/advisories/GHSA-fhg7-m89q-25r3
fix available via `npm audit fix`
node_modules/ua-parser-js
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
38 vulnerabilities (7 moderate, 26 high, 5 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Its actually very very difficult. I've tried twice already and gave up after a few hours of trying to sort out deps. Its not really worth the effort to pursue right now with a major codebase rewrite coming up in the future
@AkechiShiro - thanks for the input, we definitely agree that running on such an old version of Electron is non-ideal. As @rvazarkar alluded to, some big changes are coming that should address your concerns.