Security Issues of Nodemon
venkateswarlumadala opened this issue · comments
I am getting the issues while trying running/building Docker due to nodemon version ---2.0.22. I tried all the recent versions of nodemon but nothing works. the error shows as below.
docker-compose --env-file=./.compose/.compose.local up --build
[+] Building
=> load build definition from Dockerfile
=> => transferring dockerfile:
=> load .dockerignore
=> CACHED WORKDIR /usr/src/app
=> CACHED COPY package.json ./
=> RUN npm install
=> ERROR RUN npm audit fix --force
RUN npm audit fix --force:
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating nodemon to 1.14.9,which is a SemVer major change.
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated chokidar@1.7.0: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
added 235 packages, removed 4 packages, changed 15 packages, and audited 474 packages in 12s
28 packages are looking for funding
run npm fund
for details
npm audit report
braces <2.3.1
Regular Expression Denial of Service (ReDoS) in braces - GHSA-cwfw-4gq5-mrqx
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
Depends on vulnerable versions of semver
node_modules/package-json
latest-version 3.0.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
Depends on vulnerable versions of semver-diff
node_modules/update-notifier
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/package-json/node_modules/semver
node_modules/semver-diff/node_modules/semver
package-json <=6.5.0
Depends on vulnerable versions of got
Depends on vulnerable versions of semver
node_modules/package-json
latest-version 3.0.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
Depends on vulnerable versions of semver-diff
node_modules/update-notifier
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon
semver-diff <=3.1.1
Depends on vulnerable versions of semver
node_modules/semver-diff
undefsafe <2.0.3
Severity: moderate
Prototype Pollution in undefsafe - GHSA-332q-7ff2-57h2
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/undefsafe
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon
14.28 15 vulnerabilities (2 low, 7 moderate, 6 high)
To address all issues, run:
npm audit fix --force
failed to solve: process "/bin/sh -c npm audit fix --force" did not complete successfully: exit code: 1
The terminal process "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -Command npm run build_local" terminated with exit code: 1.
Terminal will be reused by tasks, press any key to close it.
I am using the below versions of node, npm, nodemon as below
$ node -v
v16.16.0
$ npm -v
npm WARN config global --global
, --local
are deprecated. Use --location=global
instead.
9.7.2
$ nodemon -v
2.0.22
my project package.json file as shown below
{
"name": "some-x123",
"version": "1.0.0",
"description": "",
"main": "index.js",
"dependencies": {
"express": "^4.18.2",
"express-session": "^1.17.3",
"bcryptjs": "^2.4.3",
"cookie-parser": "^1.4.6",
"cookie-session": "^2.0.0",
"cors": "^2.8.5",
"dotenv": "^16.3.1",
"nodemon": "^2.0.22"
},
"scripts": {
"test": "echo "Error: no test specified" && exit 1",
"start": "nodemon --legacy-watch index.js",
"build_local": "docker-compose --env-file=./.compose/.compose.local up --build",
"start_local": "docker-compose --env-file=./.compose/.compose.local up",
"stop_local": "docker-compose --env-file=./.compose/.compose.local -f "docker-compose.yml" down",
},
"author": "",
"license": "ISC"
}
my docker file I am using as below
FROM node: xx-version
WORKDIR xx/xx/xx
COPY package.json ./
RUN npm install -g nodemon
RUN npm install
RUN npm audit fix --force
ADD . .
EXPOSE port-xx
RUN printenv
CMD [ "npm", "run", "start" ]
Hi! I'm not involved with this project - but I've found that adding this to your package.json will fix things:
"overrides": {
"semver": "^7.5.2"
}
Here's an example in one of my projects: https://github.com/krgamestudios/auth-server/blob/main/package.json
The cause of this is that semver's version hasn't been updated in nodemon yet, so it's still depending on an older version - thankfully, forcing the version to be updated appears to work correctly, though your mileage may vary.
@Ratstail91 thanks for your valuable information. I already tried this but this not worked for my case
Same issue
# npm audit report
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install nodemon@1.14.9, which is a breaking change
node_modules/nodemon/node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
nodemon 1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
Depends on vulnerable versions of semver
Depends on vulnerable versions of simple-update-notifier
node_modules/nodemon
simple-update-notifier 1.0.7 - 1.1.0
Depends on vulnerable versions of semver
node_modules/simple-update-notifier
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Installed nodemon v2.0.22
and got the same security audit issue with semver.
Why is semver not update from 5.7.1
to 7.5.2
Actually, github hasn't published it yet, not me!
I don't know why it's stuck in a queue, but I'll look at it once the week starts as I'm keen to get the release done. Closing in lieu of that 👍