npm audit returns dependency vulnerabilities

Question

npm audit returns dependency vulnerabilities

neilcampbell opened this issue 7 months ago · comments

When running npm audit against the repo, the following vulnerabilities are detected.

# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios

chromedriver  <119.0.1
Severity: moderate
chromedriver Command Injection vulnerability - https://github.com/advisories/GHSA-hm92-vgmw-qfmx
fix available via `npm audit fix`
node_modules/chromedriver

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/download

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/download/node_modules/cacheable-request

undici  <5.26.2
Undici's cookie header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-wqq4-5wpv-mx2g
fix available via `npm audit fix`
node_modules/undici

7 vulnerabilities (1 low, 3 moderate, 3 high)

A couple are fixable, however the high severity ones aren't and appear to be dependencies of the download package, which appears to have been abandoned.

Is there any plans or work in progress to move away from using the download package?

Christian Bromann · Answer 1 · Fri Dec 08 2023 00:14:41 GMT+0800 (China Standard Time)

@neilcampbell thanks for reporting. These vulnerabilities will be resolved with #94 where we remove the dependency to the download package.

Neil Campbell · Answer 2 · Fri Dec 08 2023 11:13:24 GMT+0800 (China Standard Time)

@christian-bromann Amazing stuff, thanks!

Sean Poulter · Answer 3 · Thu Feb 15 2024 21:34:05 GMT+0800 (China Standard Time)

I took over #94 and dropped the dependency update in #105. Are we good to update all the dependencies next?

Christian Bromann · Answer 4 · Fri Feb 16 2024 00:13:27 GMT+0800 (China Standard Time)

@seanpoulter let's update all dependencies if possible. We should always stay up to date!

Sean Poulter · Answer 5 · Tue Feb 20 2024 12:41:50 GMT+0800 (China Standard Time)

Hello from Ottawa, Canada @neilcampbell. I'll second your suggestion that we want to replace download@^4. Do either of you have a preference? My suggestion would be to find out what we're using in webdriverio/webdriverio.

I'll open a PR to update undici now. We're limited to v5.x because v6 drops support for Node v16.

Sean Poulter · Answer 6 · Wed Feb 21 2024 05:44:15 GMT+0800 (China Standard Time)

We're down to these three:

# npm audit report

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/download

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install download@3.3.0, which is a breaking change
node_modules/download/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/download/node_modules/cacheable-request

pkg  *
Severity: moderate
Pkg Local Privilege Escalation - https://github.com/advisories/GHSA-22r3-9w55-cj54
No fix available
node_modules/pkg

5 vulnerabilities (2 moderate, 3 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

We've already talked about replacing download. It turns out pkg is also no longer maintained.

Christian Bromann · Answer 7 · Wed Feb 21 2024 07:45:08 GMT+0800 (China Standard Time)

My suggestion would be to find out what we're using in webdriverio/webdriverio.

What are we doing there? If there is an easy way to replace download and pkg I am happy to explore that. That said, I am also fine to keep this ticket around in case someone wants to pick this up but I don't see these vulnerabilities being in any way relevant to the end user. This is why it had a very low priority for me.