Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ui dependencies npm vulnerabilities #56

Open
viniarck opened this issue Apr 30, 2024 · 0 comments
Open

ui dependencies npm vulnerabilities #56

viniarck opened this issue Apr 30, 2024 · 0 comments
Assignees
Labels
future_release Planned for the next release

Comments

@viniarck
Copy link
Member

The scope is partly related to issue #30, where we were planning to upgrade the rest of ui dependencies, however, let's treat this as a smaller scope to see if potentially we can also mitigate these 49 (28 critical) vulnerabilities. So, the scope of this issue is to assess if some of the dependencies below can get upgraded with upstream fixes, but let's only try to deal with the ones where refactoring is minimal or seamless. The rest we'll address on issue #30

To reproduce:

  • npm i
  • npm audit
49 vulnerabilities (7 moderate, 14 high, 28 critical)



❯ npm audit
# npm audit report

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

async  2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/async

babel-traverse  *
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix --force`
Will install babel-core@4.7.16, which is a breaking change
node_modules/babel-traverse
  babel-core  5.8.20 - 7.0.0-beta.3
  Depends on vulnerable versions of babel-helpers
  Depends on vulnerable versions of babel-register
  Depends on vulnerable versions of babel-template
  Depends on vulnerable versions of babel-traverse
  Depends on vulnerable versions of json5
  node_modules/babel-core
    babel-register  *
    Depends on vulnerable versions of babel-core
    node_modules/babel-register
  babel-helper-call-delegate  *
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-helper-call-delegate
  babel-helper-explode-assignable-expression  *
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-helper-explode-assignable-expression
    babel-helper-builder-binary-assignment-operator-visitor  *
    Depends on vulnerable versions of babel-helper-explode-assignable-expression
    node_modules/babel-helper-builder-binary-assignment-operator-visitor
      babel-plugin-transform-exponentiation-operator  *
      Depends on vulnerable versions of babel-helper-builder-binary-assignment-operator-visitor
      node_modules/babel-plugin-transform-exponentiation-operator
  babel-helper-function-name  *
  Depends on vulnerable versions of babel-template
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-helper-function-name
    babel-helper-define-map  *
    Depends on vulnerable versions of babel-helper-function-name
    node_modules/babel-helper-define-map
    babel-helper-remap-async-to-generator  *
    Depends on vulnerable versions of babel-helper-function-name
    Depends on vulnerable versions of babel-template
    Depends on vulnerable versions of babel-traverse
    node_modules/babel-helper-remap-async-to-generator
      babel-plugin-transform-async-to-generator  *
      Depends on vulnerable versions of babel-helper-remap-async-to-generator
      node_modules/babel-plugin-transform-async-to-generator
    babel-plugin-transform-es2015-function-name  *
    Depends on vulnerable versions of babel-helper-function-name
    node_modules/babel-plugin-transform-es2015-function-name
  babel-helper-replace-supers  *
  Depends on vulnerable versions of babel-template
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-helper-replace-supers
    babel-plugin-transform-es2015-object-super  *
    Depends on vulnerable versions of babel-helper-replace-supers
    node_modules/babel-plugin-transform-es2015-object-super
  babel-plugin-transform-es2015-block-scoping  *
  Depends on vulnerable versions of babel-template
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-plugin-transform-es2015-block-scoping
    babel-preset-env  >=0.0.1
    Depends on vulnerable versions of babel-plugin-transform-async-to-generator
    Depends on vulnerable versions of babel-plugin-transform-es2015-block-scoping
    Depends on vulnerable versions of babel-plugin-transform-es2015-classes
    Depends on vulnerable versions of babel-plugin-transform-es2015-computed-properties
    Depends on vulnerable versions of babel-plugin-transform-es2015-function-name
    Depends on vulnerable versions of babel-plugin-transform-es2015-modules-amd
    Depends on vulnerable versions of babel-plugin-transform-es2015-modules-commonjs
    Depends on vulnerable versions of babel-plugin-transform-es2015-modules-systemjs
    Depends on vulnerable versions of babel-plugin-transform-es2015-modules-umd
    Depends on vulnerable versions of babel-plugin-transform-es2015-object-super
    Depends on vulnerable versions of babel-plugin-transform-es2015-parameters
    Depends on vulnerable versions of babel-plugin-transform-exponentiation-operator
    node_modules/babel-preset-env
  babel-plugin-transform-es2015-classes  *
  Depends on vulnerable versions of babel-helper-define-map
  Depends on vulnerable versions of babel-helper-function-name
  Depends on vulnerable versions of babel-helper-replace-supers
  Depends on vulnerable versions of babel-template
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-plugin-transform-es2015-classes
  babel-plugin-transform-es2015-parameters  *
  Depends on vulnerable versions of babel-helper-call-delegate
  Depends on vulnerable versions of babel-template
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-plugin-transform-es2015-parameters
  babel-template  *
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-template
    babel-helpers  *
    Depends on vulnerable versions of babel-template
    node_modules/babel-helpers
    babel-plugin-transform-es2015-computed-properties  *
    Depends on vulnerable versions of babel-template
    node_modules/babel-plugin-transform-es2015-computed-properties
    babel-plugin-transform-es2015-modules-amd  *
    Depends on vulnerable versions of babel-plugin-transform-es2015-modules-commonjs
    Depends on vulnerable versions of babel-template
    node_modules/babel-plugin-transform-es2015-modules-amd
      babel-plugin-transform-es2015-modules-umd  *
      Depends on vulnerable versions of babel-plugin-transform-es2015-modules-amd
      Depends on vulnerable versions of babel-template
      node_modules/babel-plugin-transform-es2015-modules-umd
    babel-plugin-transform-es2015-modules-commonjs  <=7.0.0-beta.0
    Depends on vulnerable versions of babel-template
    node_modules/babel-plugin-transform-es2015-modules-commonjs
    babel-plugin-transform-es2015-modules-systemjs  *
    Depends on vulnerable versions of babel-template
    node_modules/babel-plugin-transform-es2015-modules-systemjs

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install d3@7.9.0, which is a breaking change
node_modules/d3-color
  d3  4.0.0-alpha.1 - 6.7.0
  Depends on vulnerable versions of d3-brush
  Depends on vulnerable versions of d3-color
  Depends on vulnerable versions of d3-interpolate
  Depends on vulnerable versions of d3-scale
  Depends on vulnerable versions of d3-transition
  Depends on vulnerable versions of d3-zoom
  node_modules/d3
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-brush  0.1.0 - 2.1.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/d3-brush
    d3-scale  0.1.3 - 3.3.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
    d3-transition  0.0.7 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-transition
    d3-zoom  0.0.2 - 2.0.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/d3-zoom

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/express

follow-redirects  <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects

ip  <1.1.9
Severity: moderate
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/ip

json5  <1.0.2 || >=2.0.0 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install babel-core@4.7.16, which is a breaking change
node_modules/babel-core/node_modules/json5
node_modules/json5
node_modules/loader-utils/node_modules/json5

loader-utils  <=1.4.1 || 2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/file-loader/node_modules/loader-utils
node_modules/loader-utils

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

moment  <=2.29.3
Severity: high
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix`
node_modules/moment

node-forge  <=1.2.1
Severity: high
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix`
node_modules/node-forge

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install vue-loader@17.4.2, which is a breaking change
node_modules/@vue/component-compiler-utils/node_modules/postcss
node_modules/postcss
  @vue/component-compiler-utils  *
  Depends on vulnerable versions of postcss
  node_modules/@vue/component-compiler-utils
    vue-loader  15.0.0-beta.1 - 15.11.1
    Depends on vulnerable versions of @vue/component-compiler-utils
    node_modules/vue-loader

semver  <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/babel-preset-env/node_modules/semver
node_modules/css-loader/node_modules/semver
node_modules/semver

terser  5.0.0 - 5.14.1
Severity: high
Terser insecure use of regular expressions leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix`
node_modules/terser

webpack  5.0.0 - 5.75.0
Severity: critical
Cross-realm object access in Webpack 5 - https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
fix available via `npm audit fix`
node_modules/webpack

webpack-dev-middleware  <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware - https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via `npm audit fix`
node_modules/webpack-dev-middleware

49 vulnerabilities (7 moderate, 14 high, 28 critical)

@viniarck viniarck added the future_release Planned for the next release label Apr 30, 2024
@rmotitsuki rmotitsuki self-assigned this May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
future_release Planned for the next release
Projects
None yet
Development

No branches or pull requests

2 participants