[Bug] hint has unexplainable vulnerabilities (on macOS)
nitrobw opened this issue Β· comments
π Bug report
Description
Installing webhint (npm/hint) in a fresh directory with npm i hint and then checking for security vulnerabilities with npm audit reveals that there are 66 moderate severity vulnerabilities.
The only way to solve this with npm audit fix --force rolls back the package to version 2.0.0.
Details
This is happening on a Mac Studio running macOS Ventura 13.2, with node v.19.6.1, npm v9.4.0 and with the webhint/hint package v.7.1.3.
There is no config file or other package installed, the issue(s) come up in any setting though.
This happens on my Mac Studio (apple silicon) device as well as my coworkers iMac (intel) device under the same conditions.
I do not know if this also happens on Windows or Linux devices as our office only uses Mac devices.
Here is a complete log of this issue coming up in a new directory, including a list of my globally and locally installed packages (before installing hint):
bwe@andoria % cd github-hint-test
bwe@andoria github-hint-test % npm list -g
/opt/homebrew/lib
βββ eslint-config-prettier@8.6.0
βββ eslint-plugin-prettier@4.2.1
βββ eslint@8.34.0
βββ hint@7.1.3
βββ npm@9.4.0
βββ prettier-plugin-css-order@1.3.0
βββ prettier@2.8.4
βββ stylelint-config-standard@30.0.1
βββ stylelint@15.1.0
bwe@andoria github-hint-test % npm list
/Users/bwe/Desktop/github-hint-test
βββ (empty)
bwe@andoria github-hint-test % npm i hint
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
added 548 packages in 10s
76 packages are looking for funding
run `npm fund` for details
bwe@andoria github-hint-test % npm audit
# npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install hint@2.0.0, which is a breaking change
node_modules/package-json/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
hint >=3.0.0-beta.0
Depends on vulnerable versions of @hint/configuration-development
Depends on vulnerable versions of @hint/configuration-web-recommended
Depends on vulnerable versions of update-notifier
node_modules/hint
@hint/configuration-accessibility *
Depends on vulnerable versions of @hint/connector-puppeteer
Depends on vulnerable versions of @hint/formatter-html
Depends on vulnerable versions of @hint/formatter-summary
Depends on vulnerable versions of @hint/hint-axe
Depends on vulnerable versions of hint
node_modules/@hint/configuration-accessibility
@hint/configuration-development *
Depends on vulnerable versions of @hint/configuration-accessibility
Depends on vulnerable versions of @hint/configuration-progressive-web-apps
Depends on vulnerable versions of @hint/connector-local
Depends on vulnerable versions of @hint/formatter-html
Depends on vulnerable versions of @hint/formatter-json
Depends on vulnerable versions of @hint/formatter-summary
Depends on vulnerable versions of @hint/hint-babel-config
Depends on vulnerable versions of @hint/hint-button-type
Depends on vulnerable versions of @hint/hint-compat-api
Depends on vulnerable versions of @hint/hint-create-element-svg
Depends on vulnerable versions of @hint/hint-css-prefix-order
Depends on vulnerable versions of @hint/hint-disown-opener
Depends on vulnerable versions of @hint/hint-highest-available-document-mode
Depends on vulnerable versions of @hint/hint-leading-dot-classlist
Depends on vulnerable versions of @hint/hint-meta-charset-utf-8
Depends on vulnerable versions of @hint/hint-meta-viewport
Depends on vulnerable versions of @hint/hint-no-bom
Depends on vulnerable versions of @hint/hint-no-inline-styles
Depends on vulnerable versions of @hint/hint-no-protocol-relative-urls
Depends on vulnerable versions of @hint/hint-scoped-svg-styles
Depends on vulnerable versions of @hint/hint-sri
Depends on vulnerable versions of @hint/hint-typescript-config
Depends on vulnerable versions of @hint/hint-webpack-config
Depends on vulnerable versions of @hint/parser-babel-config
Depends on vulnerable versions of @hint/parser-css
Depends on vulnerable versions of @hint/parser-html
Depends on vulnerable versions of @hint/parser-javascript
Depends on vulnerable versions of @hint/parser-jsx
Depends on vulnerable versions of @hint/parser-less
Depends on vulnerable versions of @hint/parser-sass
Depends on vulnerable versions of @hint/parser-typescript
Depends on vulnerable versions of @hint/parser-typescript-config
Depends on vulnerable versions of @hint/parser-webpack-config
Depends on vulnerable versions of hint
node_modules/@hint/configuration-development
@hint/configuration-progressive-web-apps *
Depends on vulnerable versions of @hint/connector-jsdom
Depends on vulnerable versions of @hint/connector-puppeteer
Depends on vulnerable versions of @hint/formatter-html
Depends on vulnerable versions of @hint/formatter-summary
Depends on vulnerable versions of @hint/hint-apple-touch-icons
Depends on vulnerable versions of @hint/hint-manifest-app-name
Depends on vulnerable versions of @hint/hint-manifest-exists
Depends on vulnerable versions of @hint/hint-manifest-file-extension
Depends on vulnerable versions of @hint/hint-manifest-is-valid
Depends on vulnerable versions of @hint/parser-manifest
Depends on vulnerable versions of hint
node_modules/@hint/configuration-progressive-web-apps
@hint/configuration-web-recommended *
Depends on vulnerable versions of @hint/configuration-accessibility
Depends on vulnerable versions of @hint/connector-jsdom
Depends on vulnerable versions of @hint/connector-local
Depends on vulnerable versions of @hint/connector-puppeteer
Depends on vulnerable versions of @hint/formatter-html
Depends on vulnerable versions of @hint/formatter-json
Depends on vulnerable versions of @hint/formatter-stylish
Depends on vulnerable versions of @hint/formatter-summary
Depends on vulnerable versions of @hint/hint-button-type
Depends on vulnerable versions of @hint/hint-compat-api
Depends on vulnerable versions of @hint/hint-content-type
Depends on vulnerable versions of @hint/hint-create-element-svg
Depends on vulnerable versions of @hint/hint-css-prefix-order
Depends on vulnerable versions of @hint/hint-disown-opener
Depends on vulnerable versions of @hint/hint-highest-available-document-mode
Depends on vulnerable versions of @hint/hint-html-checker
Depends on vulnerable versions of @hint/hint-http-cache
Depends on vulnerable versions of @hint/hint-http-compression
Depends on vulnerable versions of @hint/hint-image-optimization-cloudinary
Depends on vulnerable versions of @hint/hint-leading-dot-classlist
Depends on vulnerable versions of @hint/hint-meta-charset-utf-8
Depends on vulnerable versions of @hint/hint-meta-viewport
Depends on vulnerable versions of @hint/hint-no-bom
Depends on vulnerable versions of @hint/hint-no-disallowed-headers
Depends on vulnerable versions of @hint/hint-no-friendly-error-pages
Depends on vulnerable versions of @hint/hint-no-html-only-headers
Depends on vulnerable versions of @hint/hint-no-http-redirects
Depends on vulnerable versions of @hint/hint-no-inline-styles
Depends on vulnerable versions of @hint/hint-no-protocol-relative-urls
Depends on vulnerable versions of @hint/hint-no-vulnerable-javascript-libraries
Depends on vulnerable versions of @hint/hint-scoped-svg-styles
Depends on vulnerable versions of @hint/hint-sri
Depends on vulnerable versions of @hint/hint-ssllabs
Depends on vulnerable versions of @hint/hint-strict-transport-security
Depends on vulnerable versions of @hint/hint-stylesheet-limits
Depends on vulnerable versions of @hint/hint-validate-set-cookie-header
Depends on vulnerable versions of @hint/hint-x-content-type-options
Depends on vulnerable versions of @hint/parser-css
Depends on vulnerable versions of @hint/parser-html
Depends on vulnerable versions of @hint/parser-javascript
Depends on vulnerable versions of hint
node_modules/@hint/configuration-web-recommended
@hint/connector-jsdom *
Depends on vulnerable versions of @hint/utils-connector-tools
Depends on vulnerable versions of hint
node_modules/@hint/connector-jsdom
@hint/connector-local *
Depends on vulnerable versions of hint
node_modules/@hint/connector-local
@hint/connector-puppeteer *
Depends on vulnerable versions of @hint/utils-connector-tools
Depends on vulnerable versions of hint
node_modules/@hint/connector-puppeteer
@hint/formatter-html *
Depends on vulnerable versions of hint
node_modules/@hint/formatter-html
@hint/formatter-json *
Depends on vulnerable versions of hint
node_modules/@hint/formatter-json
@hint/formatter-stylish *
Depends on vulnerable versions of hint
node_modules/@hint/formatter-stylish
@hint/formatter-summary *
Depends on vulnerable versions of hint
node_modules/@hint/formatter-summary
@hint/hint-apple-touch-icons *
Depends on vulnerable versions of hint
node_modules/@hint/hint-apple-touch-icons
@hint/hint-axe *
Depends on vulnerable versions of hint
node_modules/@hint/hint-axe
@hint/hint-babel-config *
Depends on vulnerable versions of @hint/parser-babel-config
Depends on vulnerable versions of hint
node_modules/@hint/hint-babel-config
@hint/hint-button-type *
Depends on vulnerable versions of hint
node_modules/@hint/hint-button-type
@hint/hint-compat-api *
Depends on vulnerable versions of @hint/parser-css
Depends on vulnerable versions of hint
node_modules/@hint/hint-compat-api
@hint/hint-content-type *
Depends on vulnerable versions of hint
node_modules/@hint/hint-content-type
@hint/hint-create-element-svg *
Depends on vulnerable versions of @hint/parser-javascript
Depends on vulnerable versions of hint
node_modules/@hint/hint-create-element-svg
@hint/hint-css-prefix-order *
Depends on vulnerable versions of @hint/parser-css
Depends on vulnerable versions of hint
node_modules/@hint/hint-css-prefix-order
@hint/hint-disown-opener *
Depends on vulnerable versions of hint
node_modules/@hint/hint-disown-opener
@hint/hint-highest-available-document-mode *
Depends on vulnerable versions of hint
node_modules/@hint/hint-highest-available-document-mode
@hint/hint-html-checker *
Depends on vulnerable versions of hint
node_modules/@hint/hint-html-checker
@hint/hint-http-cache *
Depends on vulnerable versions of hint
node_modules/@hint/hint-http-cache
@hint/hint-http-compression *
Depends on vulnerable versions of hint
node_modules/@hint/hint-http-compression
@hint/hint-image-optimization-cloudinary *
Depends on vulnerable versions of hint
node_modules/@hint/hint-image-optimization-cloudinary
@hint/hint-leading-dot-classlist *
Depends on vulnerable versions of @hint/parser-javascript
Depends on vulnerable versions of hint
node_modules/@hint/hint-leading-dot-classlist
@hint/hint-manifest-app-name *
Depends on vulnerable versions of @hint/parser-manifest
Depends on vulnerable versions of hint
node_modules/@hint/hint-manifest-app-name
@hint/hint-manifest-exists *
Depends on vulnerable versions of @hint/parser-manifest
Depends on vulnerable versions of hint
node_modules/@hint/hint-manifest-exists
@hint/hint-manifest-file-extension *
Depends on vulnerable versions of @hint/parser-manifest
Depends on vulnerable versions of hint
node_modules/@hint/hint-manifest-file-extension
@hint/hint-manifest-is-valid *
Depends on vulnerable versions of @hint/parser-manifest
Depends on vulnerable versions of hint
node_modules/@hint/hint-manifest-is-valid
@hint/hint-meta-charset-utf-8 *
Depends on vulnerable versions of hint
node_modules/@hint/hint-meta-charset-utf-8
@hint/hint-meta-viewport *
Depends on vulnerable versions of hint
node_modules/@hint/hint-meta-viewport
@hint/hint-no-bom *
Depends on vulnerable versions of hint
node_modules/@hint/hint-no-bom
@hint/hint-no-disallowed-headers *
Depends on vulnerable versions of hint
node_modules/@hint/hint-no-disallowed-headers
@hint/hint-no-friendly-error-pages *
Depends on vulnerable versions of hint
node_modules/@hint/hint-no-friendly-error-pages
@hint/hint-no-html-only-headers *
Depends on vulnerable versions of hint
node_modules/@hint/hint-no-html-only-headers
@hint/hint-no-http-redirects *
Depends on vulnerable versions of hint
node_modules/@hint/hint-no-http-redirects
@hint/hint-no-inline-styles *
Depends on vulnerable versions of hint
node_modules/@hint/hint-no-inline-styles
@hint/hint-no-protocol-relative-urls *
Depends on vulnerable versions of hint
node_modules/@hint/hint-no-protocol-relative-urls
@hint/hint-no-vulnerable-javascript-libraries *
Depends on vulnerable versions of hint
node_modules/@hint/hint-no-vulnerable-javascript-libraries
@hint/hint-scoped-svg-styles *
Depends on vulnerable versions of @hint/parser-css
Depends on vulnerable versions of hint
node_modules/@hint/hint-scoped-svg-styles
@hint/hint-sri *
Depends on vulnerable versions of hint
node_modules/@hint/hint-sri
@hint/hint-ssllabs *
Depends on vulnerable versions of hint
node_modules/@hint/hint-ssllabs
@hint/hint-strict-transport-security *
Depends on vulnerable versions of hint
node_modules/@hint/hint-strict-transport-security
@hint/hint-stylesheet-limits *
Depends on vulnerable versions of hint
node_modules/@hint/hint-stylesheet-limits
@hint/hint-typescript-config *
Depends on vulnerable versions of @hint/parser-typescript-config
Depends on vulnerable versions of hint
node_modules/@hint/hint-typescript-config
@hint/hint-validate-set-cookie-header *
Depends on vulnerable versions of hint
node_modules/@hint/hint-validate-set-cookie-header
@hint/hint-webpack-config *
Depends on vulnerable versions of @hint/parser-babel-config
Depends on vulnerable versions of @hint/parser-typescript-config
Depends on vulnerable versions of @hint/parser-webpack-config
Depends on vulnerable versions of hint
node_modules/@hint/hint-webpack-config
@hint/hint-x-content-type-options *
Depends on vulnerable versions of hint
node_modules/@hint/hint-x-content-type-options
@hint/parser-babel-config *
Depends on vulnerable versions of hint
node_modules/@hint/parser-babel-config
@hint/parser-css *
Depends on vulnerable versions of hint
node_modules/@hint/parser-css
@hint/parser-html *
Depends on vulnerable versions of hint
node_modules/@hint/parser-html
@hint/parser-javascript *
Depends on vulnerable versions of hint
node_modules/@hint/parser-javascript
@hint/parser-jsx *
Depends on vulnerable versions of @hint/parser-javascript
Depends on vulnerable versions of hint
node_modules/@hint/parser-jsx
@hint/parser-less *
Depends on vulnerable versions of hint
node_modules/@hint/parser-less
@hint/parser-manifest *
Depends on vulnerable versions of hint
node_modules/@hint/parser-manifest
@hint/parser-sass *
Depends on vulnerable versions of hint
node_modules/@hint/parser-sass
@hint/parser-typescript *
Depends on vulnerable versions of @hint/parser-javascript
Depends on vulnerable versions of hint
node_modules/@hint/parser-typescript
@hint/parser-typescript-config *
Depends on vulnerable versions of hint
node_modules/@hint/parser-typescript-config
@hint/parser-webpack-config *
Depends on vulnerable versions of hint
node_modules/@hint/parser-webpack-config
@hint/utils-connector-tools *
Depends on vulnerable versions of hint
node_modules/@hint/utils-connector-tools
66 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
bwe@andoria github-hint-test %
Just in case someone brings up the possibility of global packages causing this issue, I just removed all of them and tried again:
bwe@andoria ~ % mkdir test3
bwe@andoria ~ % cd test3
bwe@andoria test3 % npm list
/Users/bwe
βββ (empty)
bwe@andoria test3 % npm list -g
/opt/homebrew/lib
βββ npm@9.4.0
bwe@andoria test3 % npm i hint
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
added 548 packages, and audited 549 packages in 18s
76 packages are looking for funding
run `npm fund` for details
66 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Run `npm audit` for details.
bwe@andoria test3 %
I recently encountered the same issue and could not find any way to not have either a whole bunch of vulnerabilities or a massively outdated version of hint.
To make sure that it's not anything else I ran the same commands as you did and got the exact same result:
pwe@trappist ~ % mkdir hint_test
pwe@trappist ~ % cd hint_test
pwe@trappist hint_test % npm list
/Users/pwe/hint_test
βββ (empty)
pwe@trappist hint_test % npm list -g
/usr/local/lib
βββ npm@9.4.0
pwe@trappist hint_test % npm i hint
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
added 569 packages in 19s
78 packages are looking for funding
run `npm fund` for details
pwe@trappist hint_test %
FYI: I'm running macOS 13.2 (Intel) with zsh@5.9, node@19.6.1 and npm@9.4.0.
Thank you for reporting this with so detailed information. We might have an indirect dependency that needs to be update, I'll double check and release and update if needed.
So I took a deeper look at this and if I understand it correctly there are two different issues in here:
66 moderate severity vulnerabilities
Unfortunately there is little to do here at the moment, we constantly update libraries but vulnerabilities get discovered at even a bigger rate. That does not make hint an unsecure library, as the vulnerabilities only reports that there might be an existing vulnerability under specific circumstances, but it does not means webhint is actually exercising that path. That being said this is were open-source shines as anyone can contribute to update this dependencies and everyone will benefit from it.
For why npm audit fix --force goes back to version 2.0.0:
That seems to be a different issue as audit fix --force can give unpredictable results. Not sure what is the logic that SEMVER is following but given that audit fix --force is discouraged on the npm documentation I would recommend against using it.
https://docs.npmjs.com/cli/v9/commands/npm-audit?v=true#force
Please feel free to reopen the issue if you think it is still not resolved or if you have more information and thank you for the feedback.