npm audit reports 48 vulnerabilities in total (16 high, 8 critical)

Question

npm audit reports 48 vulnerabilities in total (16 high, 8 critical)

janmashat opened this issue 5 months ago · comments

Running npm audit reveals a number of vulnerable dependencies:

client: 18 vulnerabilities (11 moderate, 7 high)
server: 30 vulnerabilities (7 low, 6 moderate, 9 high, 8 critical)

Version:

➜  planka git:(master) git log -n1
commit e792cb26b1d2955fe4fde5ac80eb8846ae0abdff (HEAD -> master, tag: v1.17.0, tag: planka-0.1.27, origin/master, origin/HEAD)
Author: Maksim Eltyshev <meltyshev@gmail.com>
Date:   Mon Apr 22 23:25:09 2024 +0200

    chore: Update version

Client:

➜  client git:(master) npm audit
# npm audit report

@adobe/css-tools  <4.3.2
Severity: moderate
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-prr3-c3m5-p7q2
fix available via `npm audit fix`
node_modules/@adobe/css-tools

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/express

follow-redirects  <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects

ip  2.0.0
Severity: moderate
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/ip

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of resolve-url-loader
          Depends on vulnerable versions of sass-loader
          node_modules/react-scripts

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/request
  node-sass  1.2.3 - 3.4.2 || 3.5.3 - 7.0.3
  Depends on vulnerable versions of request
  node_modules/react-scripts/node_modules/node-sass
    sass-loader  0.4.0-beta.1 - 0.4.2 || 0.6.0 || 5.0.0 - 6.0.7 || 8.0.0 - 10.3.1 || 11.0.0 - 13.1.0
    Depends on vulnerable versions of node-sass
    node_modules/react-scripts/node_modules/sass-loader

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/request/node_modules/tough-cookie

webpack-dev-middleware  <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware - https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via `npm audit fix`
node_modules/webpack-dev-middleware

18 vulnerabilities (11 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Server:

➜  server git:(master) npm audit
# npm audit report

braces  <=2.3.0
Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4
Regular Expression Denial of Service (ReDoS) in braces - https://github.com/advisories/GHSA-cwfw-4gq5-mrqx
fix available via `npm audit fix`
node_modules/micromatch/node_modules/braces
  micromatch  0.2.0 - 2.3.11
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of parse-glob
  node_modules/micromatch
    findup-sync  0.4.0 - 1.0.0
    Depends on vulnerable versions of micromatch
    node_modules/findup-sync
      liftoff  2.2.3 - 2.3.0
      Depends on vulnerable versions of findup-sync
      node_modules/liftoff

debug  4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install sails-hook-sockets@3.0.0, which is a breaking change
node_modules/engine.io/node_modules/debug
node_modules/socket.io-parser/node_modules/debug
node_modules/socket.io/node_modules/debug
  engine.io  3.4.0 - 4.0.5
  Depends on vulnerable versions of debug
  node_modules/engine.io
    socket.io  2.2.0 - 3.0.4
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io
    node_modules/socket.io
      sails-hook-sockets  2.0.0-0 - 2.0.4
      Depends on vulnerable versions of socket.io
      node_modules/sails-hook-sockets
  socket.io-parser  3.4.0 - 4.0.2
  Depends on vulnerable versions of debug
  node_modules/socket.io-parser

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/express
  sails  <=0.12.11 || 1.0.0-0 - 1.5.9
  Depends on vulnerable versions of express
  node_modules/sails

formidable  <3.2.4
Severity: critical
Formidable arbitrary file upload - https://github.com/advisories/GHSA-8cp3-66vr-3r4c
No fix available
node_modules/formidable
  superagent  >=0.4.0
  Depends on vulnerable versions of formidable
  node_modules/superagent
    supertest  *
    Depends on vulnerable versions of superagent
    node_modules/supertest

glob-parent  <5.1.2
Severity: high
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/glob-base/node_modules/glob-parent
  glob-base  *
  Depends on vulnerable versions of glob-parent
  node_modules/glob-base
    parse-glob  >=2.1.0
    Depends on vulnerable versions of glob-base
    node_modules/parse-glob

jose  3.0.0 - 4.15.4
Severity: moderate
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - https://github.com/advisories/GHSA-hhhv-q57g-882q
fix available via `npm audit fix`
node_modules/jose

knex  <=2.3.0
Severity: critical
SQL Injection in knex - https://github.com/advisories/GHSA-58v4-qwx5-7f59
Knex.js has a limited SQL injection vulnerability - https://github.com/advisories/GHSA-4jv9-3563-23j3
Depends on vulnerable versions of minimist
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/waterline-sql-builder/node_modules/knex
  waterline-sql-builder  <=2.0.0
  Depends on vulnerable versions of knex
  node_modules/waterline-sql-builder
    machinepack-postgresql-sails-postgresql-redacted  *
    Depends on vulnerable versions of waterline-sql-builder
    node_modules/machinepack-postgresql-sails-postgresql-redacted
      sails-postgresql-redacted  *
      Depends on vulnerable versions of machinepack-postgresql-sails-postgresql-redacted
      node_modules/sails-postgresql-redacted

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/waterline-sql-builder/node_modules/minimist

qs  6.4.0 || 6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/skipper/node_modules/qs
node_modules/waterline-utils/node_modules/qs
  body-parser  1.18.0 - 1.18.3
  Depends on vulnerable versions of qs
  node_modules/skipper/node_modules/body-parser
    skipper  0.1.3 - 0.9.3
    Depends on vulnerable versions of body-parser
    Depends on vulnerable versions of semver
    node_modules/skipper
  waterline-utils  1.4.1 - 1.4.4
  Depends on vulnerable versions of qs
  node_modules/waterline-utils

semver  <5.7.2 || >=6.0.0 <6.3.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/captains-log/node_modules/semver
node_modules/eslint-config-airbnb-base/node_modules/semver
node_modules/skipper/node_modules/semver
  captains-log  2.0.0 - 2.0.3
  Depends on vulnerable versions of semver
  node_modules/captains-log


tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

30 vulnerabilities (7 low, 6 moderate, 9 high, 8 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Maksim Eltyshev · Answer 1 · Tue Apr 23 2024 20:33:06 GMT+0800 (China Standard Time)

Hi! I'll try to check everything today. There are many libs on the client with vulnerabilities shown, but they're only used to build the production version, so they are not exploitable. More information here: facebook/create-react-app#11174.

Jan Mashat · Answer 2 · Tue Apr 23 2024 20:38:58 GMT+0800 (China Standard Time)

Great, thanks for the quick response!

Maksim Eltyshev · Answer 3 · Tue Apr 23 2024 21:50:07 GMT+0800 (China Standard Time)

I've made an update of all dependencies: 0 vulnerabilities in the root folder, 0 vulnerabilities in the server folder, vulnerabilities are shown in the client folder and we've verified that all of these packages are related specifically to the build process (so they can't be exploited).