Skip to content

glob-parent, got, and node-fetch security vulnerabilities for [email protected] #4921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mikepianka opened this issue Aug 10, 2022 · 8 comments
Closed

glob-parent, got, and node-fetch security vulnerabilities for [email protected] #4921

mikepianka opened this issue Aug 10, 2022 · 8 comments
Labels
security security-cwe: bad coding practices security-risk: high type: security code to address security issues

Comments

@mikepianka
Copy link

Describe the bug

npm flags security vulnerabilities for the packages glob-parent, got, and node-fetch after having installed the latest [email protected]

# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/cpy/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/netlify-cli/node_modules/cpy/node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/netlify-cli/node_modules/cpy/node_modules/globby
      cpy  7.0.0 - 8.1.2
      Depends on vulnerable versions of globby
      node_modules/netlify-cli/node_modules/cpy
        @netlify/cache-utils  *
        Depends on vulnerable versions of cpy
        node_modules/netlify-cli/node_modules/@netlify/cache-utils
          @netlify/build  >=0.1.31
          Depends on vulnerable versions of @netlify/cache-utils
          Depends on vulnerable versions of @netlify/functions-utils
          Depends on vulnerable versions of got
          Depends on vulnerable versions of update-notifier
          node_modules/netlify-cli/node_modules/@netlify/build
            netlify-cli  >=0.3.4
            Depends on vulnerable versions of @netlify/build
            Depends on vulnerable versions of gh-release-fetch
            Depends on vulnerable versions of node-version-alias
            Depends on vulnerable versions of update-notifier
            node_modules/netlify-cli
        @netlify/functions-utils  *
        Depends on vulnerable versions of cpy
        node_modules/netlify-cli/node_modules/@netlify/functions-utils

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/@netlify/build/node_modules/got
node_modules/netlify-cli/node_modules/download/node_modules/got
node_modules/netlify-cli/node_modules/fetch-node-website/node_modules/got
node_modules/netlify-cli/node_modules/package-json/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/netlify-cli/node_modules/download
    gh-release-fetch  *
    Depends on vulnerable versions of download
    node_modules/netlify-cli/node_modules/gh-release-fetch
  fetch-node-website  2.0.0 - 5.0.3
  Depends on vulnerable versions of got
  node_modules/netlify-cli/node_modules/fetch-node-website
    all-node-versions  2.0.0 - 8.0.0
    Depends on vulnerable versions of fetch-node-website
    node_modules/netlify-cli/node_modules/all-node-versions
      node-version-alias  <=1.0.1
      Depends on vulnerable versions of all-node-versions
      Depends on vulnerable versions of normalize-node-version
      node_modules/netlify-cli/node_modules/node-version-alias
      normalize-node-version  2.0.0 - 10.0.0
      Depends on vulnerable versions of all-node-versions
      node_modules/netlify-cli/node_modules/normalize-node-version
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/netlify-cli/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/netlify-cli/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/netlify-cli/node_modules/update-notifier

node-fetch  3.0.0 - 3.2.9
Severity: moderate
node-fetch Inefficient Regular Expression Complexity  - https://github.com/advisories/GHSA-vp56-6g26-6827
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/@netlify/edge-bundler/node_modules/node-fetch
node_modules/netlify-cli/node_modules/netlify/node_modules/node-fetch

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

25 vulnerabilities (12 moderate, 13 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Steps to reproduce

  1. npm i netlify-cli
  2. npm audit

Configuration

No response

Environment

System:
OS: Windows 10 10.0.19044
CPU: (16) x64 AMD Ryzen 7 1700X Eight-Core Processor
Memory: 40.85 GB / 63.93 GB
Binaries:
Node: 16.14.0 - C:\Program Files\nodejs\node.EXE
npm: 8.15.1 - C:\Program Files\nodejs\npm.CMD
npmPackages:
netlify-cli: ^10.15.0 => 10.15.0
@mikepianka mikepianka added the type: bug code to address defects in shipped code label Aug 10, 2022
@danez danez added the security label Aug 15, 2022
@danez
Copy link
Contributor

danez commented Aug 15, 2022

Thanks for reporting.

@AndyTurnerNetlify
Copy link

@danez - any update on when we might be able to get this resolved?

@mikepianka
Copy link
Author

@danez - any update on when we might be able to get this resolved?

@danez @AndyTurnerNetlify any update? Thanks.

@danez
Copy link
Contributor

danez commented Oct 4, 2022

I think we cannot solve this right now, because there are some dependencies that we cannot yet update because of either ESM compatibility or node version restrictions.

@mikepianka
Copy link
Author

I think we cannot solve this right now, because there are some dependencies that we cannot yet update because of either ESM compatibility or node version restrictions.

OK thanks for the explanation.

@danez danez mentioned this issue Nov 18, 2022
Closed
@tinfoil-knight tinfoil-knight mentioned this issue Jan 28, 2023
Merged
5 tasks
This was referenced Feb 5, 2023
Closed
Merged
@danez danez added type: security code to address security issues and removed type: bug code to address defects in shipped code labels Feb 8, 2023
@danez danez mentioned this issue Feb 8, 2023
Merged
5 tasks
@a1300
Copy link

a1300 commented Feb 16, 2023

With the current version (v12.12.0) netlify-cli is still producing some security warnings:

Preparation:

npm init --yes
npm install --save-dev netlify-cli

Audit netlify-cli:

npm audit

# npm audit report

decode-uri-component  <0.2.1
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/decode-uri-component

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/@netlify/cache-utils/node_modules/glob-parent
node_modules/netlify-cli/node_modules/@netlify/functions-utils/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/netlify-cli/node_modules/@netlify/cache-utils/node_modules/cpy/node_modules/fast-glob
  node_modules/netlify-cli/node_modules/@netlify/functions-utils/node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/netlify-cli/node_modules/@netlify/cache-utils/node_modules/cpy/node_modules/globby
    node_modules/netlify-cli/node_modules/@netlify/functions-utils/node_modules/globby
      cpy  7.0.0 - 8.1.2
      Depends on vulnerable versions of globby
      node_modules/netlify-cli/node_modules/@netlify/cache-utils/node_modules/cpy
      node_modules/netlify-cli/node_modules/@netlify/functions-utils/node_modules/cpy
        @netlify/cache-utils  *
        Depends on vulnerable versions of cpy
        node_modules/netlify-cli/node_modules/@netlify/cache-utils
          @netlify/build  >=0.1.31
          Depends on vulnerable versions of @netlify/cache-utils
          Depends on vulnerable versions of @netlify/functions-utils
          node_modules/netlify-cli/node_modules/@netlify/build
            netlify-cli  >=2.13.0
            Depends on vulnerable versions of @netlify/build
            Depends on vulnerable versions of gh-release-fetch
            node_modules/netlify-cli
        @netlify/functions-utils  *
        Depends on vulnerable versions of cpy
        node_modules/netlify-cli/node_modules/@netlify/functions-utils

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/netlify-cli/node_modules/download
    gh-release-fetch  *
    Depends on vulnerable versions of download
    node_modules/netlify-cli/node_modules/gh-release-fetch

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/download/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/netlify-cli/node_modules/download/node_modules/cacheable-request

14 vulnerabilities (1 low, 2 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

@tinfoil-knight tinfoil-knight mentioned this issue Feb 18, 2023
Closed
5 tasks
@danez danez mentioned this issue May 8, 2023
Closed
@MikeMcC399
Copy link

In addition to security vulnerabilities there are also 5 deprecation notices in [email protected]:

$ npm init -y
$ npm install netlify-cli@15
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.

@danez danez mentioned this issue May 13, 2023
Merged
1 task
@danez
Copy link
Contributor

danez commented May 15, 2023
edited
Loading

All packages are now at secure versions and npm audit does not report any security issues anymore.

The deprecated packages are something that we will also address at some point and I opened a new issue for that: #5724

@danez danez closed this as completed May 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security security-cwe: bad coding practices security-risk: high type: security code to address security issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@danez @a1300 @mikepianka @MikeMcC399 @AndyTurnerNetlify @merlyn-at-netlify