how to deal with vulnerabilities? #1

New Issue

Open

opened 2022-10-04 13:58:46 +02:00 by claudio.atzori · 4 comments

claudio.atzori commented 2022-10-04 13:58:46 +02:00

Owner

Copy Link

I'm quite new to npm, but releasing a site knowing in advance about its vulerabilities doesn't sound good.

I noticed that npm audit reports 21 vulnerabilities (8 moderate, 13 high), some of them seems were fixed, while others not, here's the report:

❯ npm audit
# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @docusaurus/core  *
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of update-notifier
        node_modules/@docusaurus/core
          @docusaurus/plugin-debug  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-debug
          @docusaurus/plugin-google-analytics  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-analytics
          @docusaurus/plugin-google-gtag  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-gtag
          @docusaurus/plugin-sitemap  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-sitemap
          @docusaurus/preset-classic  *
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/plugin-content-blog
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          Depends on vulnerable versions of @docusaurus/plugin-content-pages
          Depends on vulnerable versions of @docusaurus/plugin-debug
          Depends on vulnerable versions of @docusaurus/plugin-google-analytics
          Depends on vulnerable versions of @docusaurus/plugin-google-gtag
          Depends on vulnerable versions of @docusaurus/plugin-sitemap
          Depends on vulnerable versions of @docusaurus/theme-classic
          Depends on vulnerable versions of @docusaurus/theme-common
          Depends on vulnerable versions of @docusaurus/theme-search-algolia
          node_modules/@docusaurus/preset-classic
          @docusaurus/theme-search-algolia  *
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          Depends on vulnerable versions of @docusaurus/theme-common
          node_modules/@docusaurus/theme-search-algolia

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix`
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @docusaurus/mdx-loader  *
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@docusaurus/mdx-loader
        @docusaurus/plugin-content-blog  *
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-blog
        @docusaurus/plugin-content-docs  *
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-docs
        @docusaurus/plugin-content-pages  *
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-pages
        @docusaurus/theme-classic  *
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of @docusaurus/plugin-content-blog
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        Depends on vulnerable versions of @docusaurus/plugin-content-pages
        Depends on vulnerable versions of @docusaurus/theme-common
        node_modules/@docusaurus/theme-classic
        @docusaurus/theme-common  *
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of @docusaurus/plugin-content-blog
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        Depends on vulnerable versions of @docusaurus/plugin-content-pages
        node_modules/@docusaurus/theme-common
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

21 vulnerabilities (8 moderate, 13 high)

@schatz do you know how to address these?

I'm quite new to npm, but releasing a site knowing in advance about its vulerabilities doesn't sound good. I noticed that npm audit reports 21 vulnerabilities (8 moderate, 13 high), some of them seems were fixed, while others not, here's the report: ``` ❯ npm audit # npm audit report got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 No fix available node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier @docusaurus/core * Depends on vulnerable versions of @docusaurus/mdx-loader Depends on vulnerable versions of update-notifier node_modules/@docusaurus/core @docusaurus/plugin-debug * Depends on vulnerable versions of @docusaurus/core node_modules/@docusaurus/plugin-debug @docusaurus/plugin-google-analytics * Depends on vulnerable versions of @docusaurus/core node_modules/@docusaurus/plugin-google-analytics @docusaurus/plugin-google-gtag * Depends on vulnerable versions of @docusaurus/core node_modules/@docusaurus/plugin-google-gtag @docusaurus/plugin-sitemap * Depends on vulnerable versions of @docusaurus/core node_modules/@docusaurus/plugin-sitemap @docusaurus/preset-classic * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/plugin-content-blog Depends on vulnerable versions of @docusaurus/plugin-content-docs Depends on vulnerable versions of @docusaurus/plugin-content-pages Depends on vulnerable versions of @docusaurus/plugin-debug Depends on vulnerable versions of @docusaurus/plugin-google-analytics Depends on vulnerable versions of @docusaurus/plugin-google-gtag Depends on vulnerable versions of @docusaurus/plugin-sitemap Depends on vulnerable versions of @docusaurus/theme-classic Depends on vulnerable versions of @docusaurus/theme-common Depends on vulnerable versions of @docusaurus/theme-search-algolia node_modules/@docusaurus/preset-classic @docusaurus/theme-search-algolia * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/plugin-content-docs Depends on vulnerable versions of @docusaurus/theme-common node_modules/@docusaurus/theme-search-algolia trim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq fix available via `npm audit fix` node_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse @mdx-js/mdx <=1.6.22 Depends on vulnerable versions of remark-mdx Depends on vulnerable versions of remark-parse node_modules/@mdx-js/mdx @docusaurus/mdx-loader * Depends on vulnerable versions of @mdx-js/mdx node_modules/@docusaurus/mdx-loader @docusaurus/plugin-content-blog * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/mdx-loader node_modules/@docusaurus/plugin-content-blog @docusaurus/plugin-content-docs * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/mdx-loader node_modules/@docusaurus/plugin-content-docs @docusaurus/plugin-content-pages * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/mdx-loader node_modules/@docusaurus/plugin-content-pages @docusaurus/theme-classic * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/mdx-loader Depends on vulnerable versions of @docusaurus/plugin-content-blog Depends on vulnerable versions of @docusaurus/plugin-content-docs Depends on vulnerable versions of @docusaurus/plugin-content-pages Depends on vulnerable versions of @docusaurus/theme-common node_modules/@docusaurus/theme-classic @docusaurus/theme-common * Depends on vulnerable versions of @docusaurus/mdx-loader Depends on vulnerable versions of @docusaurus/plugin-content-blog Depends on vulnerable versions of @docusaurus/plugin-content-docs Depends on vulnerable versions of @docusaurus/plugin-content-pages node_modules/@docusaurus/theme-common remark-mdx <=1.6.22 Depends on vulnerable versions of remark-parse node_modules/remark-mdx 21 vulnerabilities (8 moderate, 13 high) ``` @schatz do you know how to address these?

schatz was assigned by claudio.atzori 2022-10-04 13:58:47 +02:00

schatz commented 2022-11-17 13:01:02 +01:00

Member

Copy Link

As a starting point, I have updated to docusaurus v2.2.0 and run 'npm audit fix' that resulted in resolving some of the vulnerabilities.
Relevant PR: #16

However, others persist; so I do not close this issue. I have to take a closer look.

As a starting point, I have updated to docusaurus v2.2.0 and run 'npm audit fix' that resulted in resolving some of the vulnerabilities. Relevant PR: https://code-repo.d4science.org/D-Net/openaire-graph-docs/pulls/16 However, others persist; so I do not close this issue. I have to take a closer look.

schatz referenced this issue 2022-11-17 14:49:18 +01:00

Update to docusaurus v2.2.0 && npm audit fix #16

schatz commented 2022-11-17 15:26:26 +01:00

Member

Copy Link

As far as I understand, this is a known issue: https://github.com/facebook/docusaurus/issues/6394

In their response, they state that those vulnerabilities occur only during the building process and the client is not affected.

As far as I understand, this is a known issue: https://github.com/facebook/docusaurus/issues/6394 In their response, they state that those vulnerabilities occur only during the building process and the client is not affected.

schatz commented 2022-11-17 15:30:08 +01:00

Member

Copy Link

Also tried to use ncu as mentioned here: https://stackoverflow.com/a/59158899/6938911
But it seems to break the building process.

Also tried to use `ncu` as mentioned here: https://stackoverflow.com/a/59158899/6938911 But it seems to break the building process.

schatz commented 2023-01-27 11:56:05 +01:00

Member

Copy Link

@claudio.atzori these vulnerabilities seem to refer to building process of the docunentation as mentioned in https://github.com/facebook/docusaurus/issues/6394#issuecomment-1015942459, therefore the client appliction is not affected. So, should we close this issue?

@claudio.atzori these vulnerabilities seem to refer to building process of the docunentation as mentioned in https://github.com/facebook/docusaurus/issues/6394#issuecomment-1015942459, therefore the client appliction is not affected. So, should we close this issue?

Sign in to join this conversation.

main

Branches Tags

Clear current reference

main

update_affiliation_algorithms

v7.1.3

pid_stability

v7.1.1

dedup_v4

upgrade-docusaurus-3

v7.0.0

api

SWH

updateScholixLink

marekhorst_fixing_citationmatching_references

marekhorst_fixing_citationmatching_short_descr

v6.0.0_fix

v6.1.0

8925

v6.0.0

pdf_aggregation

marekhorst_52_extraction_of_cited_concepts_refinement

v5.1.3

8549_affiliation_extraction

scholexplorer_ds

opencitations

Change_graph_name

5.1.0

relation_provenance

changelog

beginners-kit

graph-data-model-revision

restructure_data_provision

enable_search

fix-image-links

parameter_config_with_env

disable_color_theme_switch

update_badges

update_related_datasets

dumpSubset

bulk_downloads

release_properties

reduced_image_file_size

aggregation

fix_issues_raised_in_PR_7

styling

Add_sitemap_generation

enrichment

formating_enrichment_section

enrichment_mining_icm

update_docusaurus

impact_indicators

openaire_graph_rename

indexing

license

learning-center

cleaning

Clear current reference

7.1.3-5

7.1.3-4

7.1.3-3

7.1.3-2

7.1.3-1

7.1.3

7.1.1

7.1.0-1

7.1.0

7.0.0-6

7.0.0-5

7.0.0-4

7.0.0-3

7.0.0-2

7.0.0-1

6.2.2.3

6.2.2.2

6.2.2.1

6.2.2

6.1.1-1

6.1.1-0

6.1.1

v.6.0.0-3

6.0.0-2

6.0.0-1

6.0.1

6.0.0

5.2.0

5.1.3-1

5.1.3

5.1.2-5

5.1.2-4

5.1.2-3

5.1.2-2

5.1.2-1

5.1.2

5.1.0-6

5.1.0-5

5.1.0-4

5.1.0-3

5.0.1-2

5.1.0-1

5.1.0

5.0.0-1

5.0.0

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

schatz

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: D-Net/openaire-graph-docs#1

No description provided.