how to deal with vulnerabilities? #1

Open
opened 2022-10-04 13:58:46 +02:00 by claudio.atzori · 4 comments

I'm quite new to npm, but releasing a site knowing in advance about its vulerabilities doesn't sound good.

I noticed that npm audit reports 21 vulnerabilities (8 moderate, 13 high), some of them seems were fixed, while others not, here's the report:

❯ npm audit
# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @docusaurus/core  *
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of update-notifier
        node_modules/@docusaurus/core
          @docusaurus/plugin-debug  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-debug
          @docusaurus/plugin-google-analytics  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-analytics
          @docusaurus/plugin-google-gtag  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-gtag
          @docusaurus/plugin-sitemap  *
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-sitemap
          @docusaurus/preset-classic  *
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/plugin-content-blog
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          Depends on vulnerable versions of @docusaurus/plugin-content-pages
          Depends on vulnerable versions of @docusaurus/plugin-debug
          Depends on vulnerable versions of @docusaurus/plugin-google-analytics
          Depends on vulnerable versions of @docusaurus/plugin-google-gtag
          Depends on vulnerable versions of @docusaurus/plugin-sitemap
          Depends on vulnerable versions of @docusaurus/theme-classic
          Depends on vulnerable versions of @docusaurus/theme-common
          Depends on vulnerable versions of @docusaurus/theme-search-algolia
          node_modules/@docusaurus/preset-classic
          @docusaurus/theme-search-algolia  *
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          Depends on vulnerable versions of @docusaurus/theme-common
          node_modules/@docusaurus/theme-search-algolia

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix`
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @docusaurus/mdx-loader  *
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@docusaurus/mdx-loader
        @docusaurus/plugin-content-blog  *
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-blog
        @docusaurus/plugin-content-docs  *
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-docs
        @docusaurus/plugin-content-pages  *
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-pages
        @docusaurus/theme-classic  *
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of @docusaurus/plugin-content-blog
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        Depends on vulnerable versions of @docusaurus/plugin-content-pages
        Depends on vulnerable versions of @docusaurus/theme-common
        node_modules/@docusaurus/theme-classic
        @docusaurus/theme-common  *
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of @docusaurus/plugin-content-blog
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        Depends on vulnerable versions of @docusaurus/plugin-content-pages
        node_modules/@docusaurus/theme-common
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

21 vulnerabilities (8 moderate, 13 high)

@schatz do you know how to address these?

I'm quite new to npm, but releasing a site knowing in advance about its vulerabilities doesn't sound good. I noticed that npm audit reports 21 vulnerabilities (8 moderate, 13 high), some of them seems were fixed, while others not, here's the report: ``` ❯ npm audit # npm audit report got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 No fix available node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier @docusaurus/core * Depends on vulnerable versions of @docusaurus/mdx-loader Depends on vulnerable versions of update-notifier node_modules/@docusaurus/core @docusaurus/plugin-debug * Depends on vulnerable versions of @docusaurus/core node_modules/@docusaurus/plugin-debug @docusaurus/plugin-google-analytics * Depends on vulnerable versions of @docusaurus/core node_modules/@docusaurus/plugin-google-analytics @docusaurus/plugin-google-gtag * Depends on vulnerable versions of @docusaurus/core node_modules/@docusaurus/plugin-google-gtag @docusaurus/plugin-sitemap * Depends on vulnerable versions of @docusaurus/core node_modules/@docusaurus/plugin-sitemap @docusaurus/preset-classic * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/plugin-content-blog Depends on vulnerable versions of @docusaurus/plugin-content-docs Depends on vulnerable versions of @docusaurus/plugin-content-pages Depends on vulnerable versions of @docusaurus/plugin-debug Depends on vulnerable versions of @docusaurus/plugin-google-analytics Depends on vulnerable versions of @docusaurus/plugin-google-gtag Depends on vulnerable versions of @docusaurus/plugin-sitemap Depends on vulnerable versions of @docusaurus/theme-classic Depends on vulnerable versions of @docusaurus/theme-common Depends on vulnerable versions of @docusaurus/theme-search-algolia node_modules/@docusaurus/preset-classic @docusaurus/theme-search-algolia * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/plugin-content-docs Depends on vulnerable versions of @docusaurus/theme-common node_modules/@docusaurus/theme-search-algolia trim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq fix available via `npm audit fix` node_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse @mdx-js/mdx <=1.6.22 Depends on vulnerable versions of remark-mdx Depends on vulnerable versions of remark-parse node_modules/@mdx-js/mdx @docusaurus/mdx-loader * Depends on vulnerable versions of @mdx-js/mdx node_modules/@docusaurus/mdx-loader @docusaurus/plugin-content-blog * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/mdx-loader node_modules/@docusaurus/plugin-content-blog @docusaurus/plugin-content-docs * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/mdx-loader node_modules/@docusaurus/plugin-content-docs @docusaurus/plugin-content-pages * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/mdx-loader node_modules/@docusaurus/plugin-content-pages @docusaurus/theme-classic * Depends on vulnerable versions of @docusaurus/core Depends on vulnerable versions of @docusaurus/mdx-loader Depends on vulnerable versions of @docusaurus/plugin-content-blog Depends on vulnerable versions of @docusaurus/plugin-content-docs Depends on vulnerable versions of @docusaurus/plugin-content-pages Depends on vulnerable versions of @docusaurus/theme-common node_modules/@docusaurus/theme-classic @docusaurus/theme-common * Depends on vulnerable versions of @docusaurus/mdx-loader Depends on vulnerable versions of @docusaurus/plugin-content-blog Depends on vulnerable versions of @docusaurus/plugin-content-docs Depends on vulnerable versions of @docusaurus/plugin-content-pages node_modules/@docusaurus/theme-common remark-mdx <=1.6.22 Depends on vulnerable versions of remark-parse node_modules/remark-mdx 21 vulnerabilities (8 moderate, 13 high) ``` @schatz do you know how to address these?
schatz was assigned by claudio.atzori 2022-10-04 13:58:47 +02:00
Member

As a starting point, I have updated to docusaurus v2.2.0 and run 'npm audit fix' that resulted in resolving some of the vulnerabilities.
Relevant PR: #16

However, others persist; so I do not close this issue. I have to take a closer look.

As a starting point, I have updated to docusaurus v2.2.0 and run 'npm audit fix' that resulted in resolving some of the vulnerabilities. Relevant PR: https://code-repo.d4science.org/D-Net/openaire-graph-docs/pulls/16 However, others persist; so I do not close this issue. I have to take a closer look.
Member

As far as I understand, this is a known issue: https://github.com/facebook/docusaurus/issues/6394

In their response, they state that those vulnerabilities occur only during the building process and the client is not affected.

As far as I understand, this is a known issue: https://github.com/facebook/docusaurus/issues/6394 In their response, they state that those vulnerabilities occur only during the building process and the client is not affected.
Member

Also tried to use ncu as mentioned here: https://stackoverflow.com/a/59158899/6938911
But it seems to break the building process.

Also tried to use `ncu` as mentioned here: https://stackoverflow.com/a/59158899/6938911 But it seems to break the building process.
Member

@claudio.atzori these vulnerabilities seem to refer to building process of the docunentation as mentioned in https://github.com/facebook/docusaurus/issues/6394#issuecomment-1015942459, therefore the client appliction is not affected. So, should we close this issue?

@claudio.atzori these vulnerabilities seem to refer to building process of the docunentation as mentioned in https://github.com/facebook/docusaurus/issues/6394#issuecomment-1015942459, therefore the client appliction is not affected. So, should we close this issue?
Sign in to join this conversation.
No Label
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: D-Net/openaire-graph-docs#1
No description provided.