Giters

remy / nodemon

Monitor for any changes in your node.js application and automatically restart the server - perfect for development

Home Page:http://nodemon.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Security Issues of Nodemon

venkateswarlumadala opened this issue · comments

commented

I am getting the issues while trying running/building Docker due to nodemon version ---2.0.22. I tried all the recent versions of nodemon but nothing works. the error shows as below.

docker-compose --env-file=./.compose/.compose.local up --build

[+] Building
=> load build definition from Dockerfile
=> => transferring dockerfile:
=> load .dockerignore
=> CACHED WORKDIR /usr/src/app
=> CACHED COPY package.json ./
=> RUN npm install
=> ERROR RUN npm audit fix --force

RUN npm audit fix --force:
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating nodemon to 1.14.9,which is a SemVer major change.
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated chokidar@1.7.0: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.

added 235 packages, removed 4 packages, changed 15 packages, and audited 474 packages in 12s

28 packages are looking for funding

run npm fund for details

npm audit report

braces <2.3.1
Regular Expression Denial of Service (ReDoS) in braces - GHSA-cwfw-4gq5-mrqx
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon

glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch

got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
Depends on vulnerable versions of semver
node_modules/package-json
latest-version 3.0.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
Depends on vulnerable versions of semver-diff
node_modules/update-notifier
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/package-json/node_modules/semver
node_modules/semver-diff/node_modules/semver
package-json <=6.5.0
Depends on vulnerable versions of got
Depends on vulnerable versions of semver
node_modules/package-json
latest-version 3.0.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
Depends on vulnerable versions of semver-diff
node_modules/update-notifier
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon
semver-diff <=3.1.1
Depends on vulnerable versions of semver
node_modules/semver-diff

undefsafe <2.0.3
Severity: moderate
Prototype Pollution in undefsafe - GHSA-332q-7ff2-57h2
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/undefsafe
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon

14.28 15 vulnerabilities (2 low, 7 moderate, 6 high)

To address all issues, run:

npm audit fix --force

failed to solve: process "/bin/sh -c npm audit fix --force" did not complete successfully: exit code: 1
The terminal process "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -Command npm run build_local" terminated with exit code: 1.

Terminal will be reused by tasks, press any key to close it.

I am using the below versions of node, npm, nodemon as below

$ node -v
v16.16.0

$ npm -v
npm WARN config global --global, --local are deprecated. Use --location=global instead.
9.7.2

$ nodemon -v
2.0.22

my project package.json file as shown below

{
"name": "some-x123",
"version": "1.0.0",
"description": "",
"main": "index.js",
"dependencies": {
"express": "^4.18.2",
"express-session": "^1.17.3",
"bcryptjs": "^2.4.3",
"cookie-parser": "^1.4.6",
"cookie-session": "^2.0.0",
"cors": "^2.8.5",
"dotenv": "^16.3.1",
"nodemon": "^2.0.22"
},
"scripts": {
"test": "echo "Error: no test specified" && exit 1",
"start": "nodemon --legacy-watch index.js",
"build_local": "docker-compose --env-file=./.compose/.compose.local up --build",
"start_local": "docker-compose --env-file=./.compose/.compose.local up",
"stop_local": "docker-compose --env-file=./.compose/.compose.local -f "docker-compose.yml" down",
},
"author": "",
"license": "ISC"
}

my docker file I am using as below

FROM node: xx-version

WORKDIR xx/xx/xx

COPY package.json ./

RUN npm install -g nodemon
RUN npm install
RUN npm audit fix --force

ADD . .

EXPOSE port-xx

RUN printenv

CMD [ "npm", "run", "start" ]

commented

Hi! I'm not involved with this project - but I've found that adding this to your package.json will fix things:

 "overrides": {
    "semver": "^7.5.2"
  }

Here's an example in one of my projects: https://github.com/krgamestudios/auth-server/blob/main/package.json

The cause of this is that semver's version hasn't been updated in nodemon yet, so it's still depending on an older version - thankfully, forcing the version to be updated appears to work correctly, though your mileage may vary.

commented

@Ratstail91 thanks for your valuable information. I already tried this but this not worked for my case

commented

Same issue

# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install nodemon@1.14.9, which is a breaking change
node_modules/nodemon/node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
  nodemon  1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of simple-update-notifier
  node_modules/nodemon
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Installed nodemon v2.0.22 and got the same security audit issue with semver.
Why is semver not update from 5.7.1 to 7.5.2

commented

Even though this issue got fixed! #2119 but @remy didn't publish new version in npm yet. The last version is 2.0.22 which was released 4 months ago and have this vulnerability.

commented

Actually, github hasn't published it yet, not me!

I don't know why it's stuck in a queue, but I'll look at it once the week starts as I'm keen to get the release done. Closing in lieu of that 👍