fix: update vulnerable dependencies

Question

fix: update vulnerable dependencies

larsrickert opened this issue 2 years ago · comments

With version 0.11.13 I get 6 high severity vulnerabilities. Below is the npm audit report, my dependencies and system information.

node version: 16.14.2
npm version: 8.5.0

npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install vite-plugin-pwa@0.11.3, which is a breaking change
node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @surma/rollup-plugin-off-main-thread  >=2.2.0
      Depends on vulnerable versions of ejs
      node_modules/@surma/rollup-plugin-off-main-thread
        workbox-build  >=6.4.0
        Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
        node_modules/workbox-build
          vite-plugin-pwa  >=0.11.5
          Depends on vulnerable versions of workbox-build
          node_modules/vite-plugin-pwa

6 high severity vulnerabilities

My dependencies

{
  "dependencies": {
    "@capacitor/browser": "^1.0.7",
    "@capacitor/core": "^3.4.3",
    "@capacitor/device": "^1.1.2",
    "@capacitor/local-notifications": "^1.1.0",
    "@capacitor/network": "^1.0.7",
    "@capacitor/storage": "^1.2.5",
    "@ionic/vue": "^6.1.0",
    "@ionic/vue-router": "^6.1.0",
    "axios": "^0.26.1",
    "lottie-web": "^5.9.2",
    "pinia": "^2.0.13",
    "sanitize-html": "^2.7.0",
    "v-calendar": "^3.0.0-alpha.8",
    "vue": "^3.2.33",
    "vue-i18n": "^9.1.9",
    "vue-router": "^4.0.14"
  },
  "devDependencies": {
    "@capacitor/cli": "^3.4.3",
    "@intlify/vite-plugin-vue-i18n": "^3.4.0",
    "@semantic-release/changelog": "^6.0.1",
    "@semantic-release/git": "^10.0.1",
    "@types/node": "^16.11.10",
    "@types/sanitize-html": "^2.6.2",
    "@typescript-eslint/eslint-plugin": "^5.19.0",
    "@typescript-eslint/parser": "^5.19.0",
    "@vitejs/plugin-vue": "^2.3.1",
    "eslint": "^8.13.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-vue": "^8.6.0",
    "prettier": "^2.6.2",
    "sass": "^1.50.0",
    "semantic-release-monorepo": "^7.0.5",
    "typescript": "^4.6.3",
    "vite": "^2.9.5",
    "vite-plugin-eslint": "~1.3.0",
    "vite-plugin-pwa": "^0.11.13",
    "vue-tsc": "^0.34.6"
  },
}

Benjamin Oddou · Answer 1 · Fri Apr 15 2022 16:37:47 GMT+0800 (China Standard Time)

Hello @larsrickert, I have the exact same problem as yours. I tried the npm audit fix --force which installed the version 0.11.3 but I still have 5 high severity vulnerabilities. I think we will have to wait for an update.

npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install vite-plugin-pwa@0.11.3, which is a breaking change
node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @surma/rollup-plugin-off-main-thread  >=2.2.0
      Depends on vulnerable versions of ejs
      node_modules/@surma/rollup-plugin-off-main-thread
        workbox-build  >=6.4.0
        Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
        node_modules/workbox-build
          vite-plugin-pwa  >=0.11.5
          Depends on vulnerable versions of workbox-build
          node_modules/vite-plugin-pwa

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Joaquín Sánchez · Answer 2 · Fri Apr 15 2022 16:50:52 GMT+0800 (China Standard Time)

I'll try to fix it in the next few days

Joaquín Sánchez · Answer 3 · Tue Apr 19 2022 00:06:29 GMT+0800 (China Standard Time)

ok, checking the repo it seems we have 4 vulnerabilities, 3 high and 1 critical (I have local repo with latest versions, not main branch):

minimist: only used on sveltekit-pwa example, fast-glob and fs-extra
prismjs: on vitepress (docs package)
node-fetch: I don't know who is using it, sveltekit-example using 3.1.0
async: workbox-build dependencies, it seems we need to send it upstream

I'm preparing a new release (minor), maybe we need fix later.

pnpm audit
┌─────────────────────┬───────────────────────────────────────────────────┐
│ critical            │ Prototype Pollution in minimist                   │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Package             │ minimist                                          │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.2.6                                            │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Patched versions    │ >=1.2.6                                           │
├─────────────────────┼───────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xvch-5gv4-984h │
└─────────────────────┴───────────────────────────────────────────────────┘
┌─────────────────────┬───────────────────────────────────────────────────┐
│ high                │ Cross-site Scripting in Prism                     │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Package             │ prismjs                                           │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Vulnerable versions │ >=1.14.0 <1.27.0                                  │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Patched versions    │ >=1.27.0                                          │
├─────────────────────┼───────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3949-f494-cm99 │
└─────────────────────┴───────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────────────────────────────────────┐
│ high                │ node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor │
├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────┤
│ Package             │ node-fetch                                                                             │
├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.6.7                                                                                 │
├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched versions    │ >=2.6.7                                                                                │
├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r683-j2x4-v87g                                      │
└─────────────────────┴────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────┬───────────────────────────────────────────────────┐
│ high                │ Prototype Pollution in async                      │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Package             │ async                                             │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.6.4                                            │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Patched versions    │ >=2.6.4                                           │
├─────────────────────┼───────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-fwr7-v2mv-hh25 │
└─────────────────────┴───────────────────────────────────────────────────┘
4 vulnerabilities found
Severity: 3 high | 1 critical

Benjamin Oddou · Answer 4 · Wed Apr 20 2022 00:02:49 GMT+0800 (China Standard Time)

Hello,

after the update to v0.12.0, I still have warning of vulnerabilities coming from vite-plugin-pwa according to npm. Is it normal ? Thank you very much in advance !

npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install vite-plugin-pwa@0.11.3, which is a breaking change
node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      @surma/rollup-plugin-off-main-thread  >=2.2.0
      Depends on vulnerable versions of ejs
      node_modules/@surma/rollup-plugin-off-main-thread
        workbox-build  >=6.4.0
        Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
        node_modules/workbox-build
          vite-plugin-pwa  >=0.11.5
          Depends on vulnerable versions of workbox-build
          node_modules/vite-plugin-pwa

6 high severity vulnerabilities

Benjamin McLean · Answer 5 · Wed Apr 20 2022 00:27:27 GMT+0800 (China Standard Time)

after the update to v0.12.0, I still have warning of vulnerabilities coming from vite-plugin-pwa according to npm. Is it normal ? Thank you very much in advance !

Same here.

Joaquín Sánchez · Answer 6 · Wed Apr 20 2022 02:34:55 GMT+0800 (China Standard Time)

@BenjaminOddou @BenMcLean file an issue on ejs to update jake: mde/ejs#668 once resolved we'll update dependencies.

EDIT: I can add the resolutions entry to a sample repo and adding a preinstall script seems to work, but running npm install twice, the npm lock file is wrong (see log below), maybe you can try it, once there aren't vulnerabilities, running npm ls async fails, so you will need to check if working once fixed the vulnerability:

npm ls async
npm-pwa-0.12.0@1.0.0 F:\work\projects\quini\GitHub\issue-repro\npm-pwa-0.12.0
`-- vite-plugin-pwa@0.12.0
  `-- workbox-build@6.5.3
    `-- @surma/rollup-plugin-off-main-thread@2.2.3
      `-- ejs@3.1.6
        `-- jake@10.8.4
          `-- async@^3.2.3 invalid: "0.9.x" from node_modules/jake

npm ERR! code ELSPROBLEMS
npm ERR! invalid: async@^3.2.3 F:\work\projects\quini\GitHub\issue-repro\npm-pwa-0.12.0\node_modules\async

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\userquin\AppData\Local\npm-cache\_logs\2022-04-19T18_51_59_476Z-debug.log

resolutions entry to add to package.json:

"resolutions": {
   "async": "^3.2.3"
}

preinstall script (will prompt for installing npm-force-resolutions if missing):

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

Joaquín Sánchez · Answer 7 · Wed Apr 20 2022 05:36:50 GMT+0800 (China Standard Time)

@BenMcLean @BenjaminOddou if you can confirm that the workaround works, maybe we can add it to the FAQ until fixed on ejs (and workbox deps, there is already an issue on the repo: GoogleChrome/workbox#3061). I need to check it also using yarn but the workaround should also work.

Benjamin Oddou · Answer 8 · Wed Apr 20 2022 14:29:18 GMT+0800 (China Standard Time)

Hello @userquin, it's working on my side ! I added the preinstall script + async line on my package.json then I ran npm install and it worked as expected ! thank you very much for your support !

npm install

> platinum@0.0.0 preinstall
> npx npm-force-resolutions


removed 1 package, changed 1 package, and audited 403 packages in 11s

63 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Joaquín Sánchez · Answer 9 · Wed Apr 20 2022 20:24:20 GMT+0800 (China Standard Time)

@BenjaminOddou I mean, you should check the project build script once fixed the vulnerability

Benjamin Oddou · Answer 10 · Wed Apr 20 2022 21:03:20 GMT+0800 (China Standard Time)

@userquin I don't see any problem when building with vite after the fix. I tested the pwa a bit and it seems to work well so all good for me.

Joaquín Sánchez · Answer 11 · Wed Apr 20 2022 21:07:21 GMT+0800 (China Standard Time)

@userquin I don't see any problem when building with vite after the fix. I tested the pwa a bit and it seems to work well so all good for me.

thx for the feedback

Joaquín Sánchez · Answer 12 · Thu Apr 21 2022 04:39:13 GMT+0800 (China Standard Time)

@BenjaminOddou can you try removing the package-lock.json and run npm install (I also remove the node_modules before install)? It seems ejs release 3.1.7 version with jake updated. I've tested and now 0 vulnerabilies.

I'll update the plugin removing our fix.

Lars Rickert · Answer 13 · Thu Apr 21 2022 04:48:41 GMT+0800 (China Standard Time)

@BenjaminOddou can you try removing the package-lock.json and run npm install (I also remove the node_modules before install)? It seems ejs release 3.1.7 version with jake updated. I've tested and now 0 vulnerabilies.

I'll update the plugin removing our fix.

Yes, indeed the vulnerabilities are fixed. I have 0 vulnerabilities now :)

Benjamin McLean · Answer 14 · Thu Apr 21 2022 09:17:23 GMT+0800 (China Standard Time)

Works for me too now, just from npm update

Benjamin Oddou · Answer 15 · Thu Apr 21 2022 15:07:12 GMT+0800 (China Standard Time)

@userquin it worked for me as well ! thank you for the update ! =)

Kostas Ordoumpozanis · Answer 16 · Sun Mar 26 2023 23:02:41 GMT+0800 (China Standard Time)

HI all,
I am trying go add it with the react template
npx create-react-app my-app --template cra-template-pwa

and getting the 6 high error and if i try to for fix ii get 78 error

Joaquín Sánchez · Answer 17 · Sun Mar 26 2023 23:46:43 GMT+0800 (China Standard Time)

HI all, I am trying go add it with the react template npx create-react-app my-app --template cra-template-pwa

and getting the 6 high error and if i try to for fix ii get 78 error

this plugin is not related to that template, this plugin is to be used with Vite