fix: update vulnerable dependencies
larsrickert opened this issue · comments
With version 0.11.13
I get 6 high severity vulnerabilities. Below is the npm audit
report, my dependencies and system information.
- node version: 16.14.2
- npm version: 8.5.0
npm audit report
async <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install vite-plugin-pwa@0.11.3, which is a breaking change
node_modules/async
jake >=8.0.1
Depends on vulnerable versions of async
node_modules/jake
ejs >=3.1.2
Depends on vulnerable versions of jake
node_modules/ejs
@surma/rollup-plugin-off-main-thread >=2.2.0
Depends on vulnerable versions of ejs
node_modules/@surma/rollup-plugin-off-main-thread
workbox-build >=6.4.0
Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
node_modules/workbox-build
vite-plugin-pwa >=0.11.5
Depends on vulnerable versions of workbox-build
node_modules/vite-plugin-pwa
6 high severity vulnerabilities
My dependencies
{
"dependencies": {
"@capacitor/browser": "^1.0.7",
"@capacitor/core": "^3.4.3",
"@capacitor/device": "^1.1.2",
"@capacitor/local-notifications": "^1.1.0",
"@capacitor/network": "^1.0.7",
"@capacitor/storage": "^1.2.5",
"@ionic/vue": "^6.1.0",
"@ionic/vue-router": "^6.1.0",
"axios": "^0.26.1",
"lottie-web": "^5.9.2",
"pinia": "^2.0.13",
"sanitize-html": "^2.7.0",
"v-calendar": "^3.0.0-alpha.8",
"vue": "^3.2.33",
"vue-i18n": "^9.1.9",
"vue-router": "^4.0.14"
},
"devDependencies": {
"@capacitor/cli": "^3.4.3",
"@intlify/vite-plugin-vue-i18n": "^3.4.0",
"@semantic-release/changelog": "^6.0.1",
"@semantic-release/git": "^10.0.1",
"@types/node": "^16.11.10",
"@types/sanitize-html": "^2.6.2",
"@typescript-eslint/eslint-plugin": "^5.19.0",
"@typescript-eslint/parser": "^5.19.0",
"@vitejs/plugin-vue": "^2.3.1",
"eslint": "^8.13.0",
"eslint-config-prettier": "^8.5.0",
"eslint-plugin-vue": "^8.6.0",
"prettier": "^2.6.2",
"sass": "^1.50.0",
"semantic-release-monorepo": "^7.0.5",
"typescript": "^4.6.3",
"vite": "^2.9.5",
"vite-plugin-eslint": "~1.3.0",
"vite-plugin-pwa": "^0.11.13",
"vue-tsc": "^0.34.6"
},
}
Hello @larsrickert, I have the exact same problem as yours. I tried the npm audit fix --force
which installed the version 0.11.3 but I still have 5 high severity vulnerabilities. I think we will have to wait for an update.
npm audit report
async <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install vite-plugin-pwa@0.11.3, which is a breaking change
node_modules/async
jake >=8.0.1
Depends on vulnerable versions of async
node_modules/jake
ejs >=3.1.2
Depends on vulnerable versions of jake
node_modules/ejs
@surma/rollup-plugin-off-main-thread >=2.2.0
Depends on vulnerable versions of ejs
node_modules/@surma/rollup-plugin-off-main-thread
workbox-build >=6.4.0
Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
node_modules/workbox-build
vite-plugin-pwa >=0.11.5
Depends on vulnerable versions of workbox-build
node_modules/vite-plugin-pwa
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
I'll try to fix it in the next few days
ok, checking the repo it seems we have 4 vulnerabilities, 3 high and 1 critical (I have local repo with latest versions, not main branch):
minimist
: only used onsveltekit-pwa
example,fast-glob
andfs-extra
prismjs
: on vitepress (docs package)node-fetch
: I don't know who is using it,sveltekit-example
using3.1.0
async
:workbox-build
dependencies, it seems we need to send it upstream
I'm preparing a new release (minor), maybe we need fix later.
pnpm audit
┌─────────────────────┬───────────────────────────────────────────────────┐
│ critical │ Prototype Pollution in minimist │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Package │ minimist │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.2.6 │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Patched versions │ >=1.2.6 │
├─────────────────────┼───────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │
└─────────────────────┴───────────────────────────────────────────────────┘
┌─────────────────────┬───────────────────────────────────────────────────┐
│ high │ Cross-site Scripting in Prism │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Package │ prismjs │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Vulnerable versions │ >=1.14.0 <1.27.0 │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Patched versions │ >=1.27.0 │
├─────────────────────┼───────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-3949-f494-cm99 │
└─────────────────────┴───────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────────────────────────────────────┐
│ high │ node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor │
├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.6.7 │
├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched versions │ >=2.6.7 │
├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-r683-j2x4-v87g │
└─────────────────────┴────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────┬───────────────────────────────────────────────────┐
│ high │ Prototype Pollution in async │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Package │ async │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.6.4 │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Patched versions │ >=2.6.4 │
├─────────────────────┼───────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-fwr7-v2mv-hh25 │
└─────────────────────┴───────────────────────────────────────────────────┘
4 vulnerabilities found
Severity: 3 high | 1 critical
Hello,
after the update to v0.12.0, I still have warning of vulnerabilities coming from vite-plugin-pwa according to npm. Is it normal ? Thank you very much in advance !
npm audit report
async <2.6.4
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install vite-plugin-pwa@0.11.3, which is a breaking change
node_modules/async
jake >=8.0.1
Depends on vulnerable versions of async
node_modules/jake
ejs >=3.1.2
Depends on vulnerable versions of jake
node_modules/ejs
@surma/rollup-plugin-off-main-thread >=2.2.0
Depends on vulnerable versions of ejs
node_modules/@surma/rollup-plugin-off-main-thread
workbox-build >=6.4.0
Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread
node_modules/workbox-build
vite-plugin-pwa >=0.11.5
Depends on vulnerable versions of workbox-build
node_modules/vite-plugin-pwa
6 high severity vulnerabilities
after the update to v0.12.0, I still have warning of vulnerabilities coming from vite-plugin-pwa according to npm. Is it normal ? Thank you very much in advance !
Same here.
@BenjaminOddou @BenMcLean file an issue on ejs
to update jake
: mde/ejs#668 once resolved we'll update dependencies.
EDIT: I can add the resolutions entry to a sample repo and adding a preinstall script seems to work, but running npm install
twice, the npm lock file is wrong (see log below), maybe you can try it, once there aren't vulnerabilities, running npm ls async
fails, so you will need to check if working once fixed the vulnerability:
npm ls async
npm-pwa-0.12.0@1.0.0 F:\work\projects\quini\GitHub\issue-repro\npm-pwa-0.12.0
`-- vite-plugin-pwa@0.12.0
`-- workbox-build@6.5.3
`-- @surma/rollup-plugin-off-main-thread@2.2.3
`-- ejs@3.1.6
`-- jake@10.8.4
`-- async@^3.2.3 invalid: "0.9.x" from node_modules/jake
npm ERR! code ELSPROBLEMS
npm ERR! invalid: async@^3.2.3 F:\work\projects\quini\GitHub\issue-repro\npm-pwa-0.12.0\node_modules\async
npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\userquin\AppData\Local\npm-cache\_logs\2022-04-19T18_51_59_476Z-debug.log
resolutions entry to add to package.json
:
"resolutions": {
"async": "^3.2.3"
}
preinstall script (will prompt for installing npm-force-resolutions
if missing):
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
@BenMcLean @BenjaminOddou if you can confirm that the workaround works, maybe we can add it to the FAQ until fixed on ejs
(and workbox deps, there is already an issue on the repo: GoogleChrome/workbox#3061). I need to check it also using yarn
but the workaround should also work.
Hello @userquin, it's working on my side ! I added the preinstall script + async line on my package.json then I ran npm install
and it worked as expected ! thank you very much for your support !
npm install
> platinum@0.0.0 preinstall
> npx npm-force-resolutions
removed 1 package, changed 1 package, and audited 403 packages in 11s
63 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
@BenjaminOddou I mean, you should check the project build script once fixed the vulnerability
@userquin I don't see any problem when building with vite after the fix. I tested the pwa a bit and it seems to work well so all good for me.
@userquin I don't see any problem when building with vite after the fix. I tested the pwa a bit and it seems to work well so all good for me.
thx for the feedback
@BenjaminOddou can you try removing the package-lock.json
and run npm install
(I also remove the node_modules before install)? It seems ejs
release 3.1.7
version with jake
updated. I've tested and now 0 vulnerabilies.
I'll update the plugin removing our fix.
@BenjaminOddou can you try removing the
package-lock.json
and runnpm install
(I also remove the node_modules before install)? It seemsejs
release3.1.7
version withjake
updated. I've tested and now 0 vulnerabilies.I'll update the plugin removing our fix.
Yes, indeed the vulnerabilities are fixed. I have 0 vulnerabilities now :)
Works for me too now, just from npm update
@userquin it worked for me as well ! thank you for the update ! =)
HI all,
I am trying go add it with the react template
npx create-react-app my-app --template cra-template-pwa
and getting the 6 high error and if i try to for fix ii get 78 error
HI all, I am trying go add it with the react template npx create-react-app my-app --template cra-template-pwa
and getting the 6 high error and if i try to for fix ii get 78 error
this plugin is not related to that template, this plugin is to be used with Vite