Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

8 high severity vulnerabilities #1

Closed
grunch opened this issue Apr 13, 2023 · 5 comments
Closed

8 high severity vulnerabilities #1

grunch opened this issue Apr 13, 2023 · 5 comments

Comments

@grunch
Copy link
Member

grunch commented Apr 13, 2023

This web app is using old libraries which have security issues, building financial tools implicates we should do all in our hands to have better security and using old libraries is giving a big advantage to attackers, here is npm output

$ npm audit
# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install nuxt@3.4.1, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/webpack/node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
          @nuxt/webpack  >=2.14.0
          Depends on vulnerable versions of webpack
          node_modules/@nuxt/webpack
            @nuxt/builder  >=2.14.0
            Depends on vulnerable versions of @nuxt/webpack
            node_modules/@nuxt/builder
            nuxt  2.14.0 - 2.16.3
            Depends on vulnerable versions of @nuxt/builder
            Depends on vulnerable versions of @nuxt/webpack
            node_modules/nuxt

8 high severity vulnerabilities

I never worked with vue or nuxt but just checking on package.json file I see nuxt: ^2.15.8 and the current version is 3.4.1, same with vue: ^2.7.10 current version is 3.2.47.

Please upgrade all libraries, we can't encourage users to use a vulnerable app and risk to be hacked and losing sats
@bilthon
Copy link
Collaborator

bilthon commented Apr 13, 2023

Vue 2.7 is actually the latest in the 2.x series. Vue 3 introduced some breaking changes and new features I'm not completely familiar with, and thus decided to start with Vue 2 to get moving fast.

That being said there was a lot of shuffling around I did with babel and other build tool versions in order to try to fix this issue with nostr-tools. In the end I ended up including it in the HTML for now but that could be the reason why we have so many vulnerabilities in the npm audit report.

This is definitely something that needs fixing before going live and I'll come back to it as soon as I'm finished with the basic functionalities. If someone wants to contribute this would be a nice first issue so tackle.

Also Vue 2 end of life is due by the end of 2023, so making the migration is something we'll have to put in the roadmap.

@grunch
Copy link
Member Author

grunch commented Apr 13, 2023

Great, let's have this open until we have a fix, this issue is blocking production but we are not there yet.

@diazemiliano
Copy link
Collaborator

diazemiliano commented Apr 14, 2023
edited

I have fixed it here #2
Im proposing a switch to nuxt@3

@bilthon
Copy link
Collaborator

bilthon commented Apr 14, 2023

Thanks again for the contribution @diazemiliano. But I wanted to go a bit deeper into this issue and here's what I could find. The problem as you correctly point out in the PR seems to be CVE-2021-35065. This is an issue with glob-parent 6.0.0. Now looking closer at the dependency tree after doing an npm ls -a we can see that glob-parent is used by two libraries:

Chokidar is a NodeJS library used as a replacement for fs.watch and is more likely used in the fresh reload feature used during development. Similarly fast-glob is a file system traversal tool. Being tools used at compile/dev-time in NodeJS, it is very unlikely that they would pose any risk to any final user.

Moreover both libraries have dismissed the issue claiming it to be a false positive since apparently glob-parent v5.1.2 is safe from CVE-2021-35065.

See here & here.

Issues with the vulnerability scanners and their databases are not that uncommon and they can occur even after we migrate to vue 3. Regardless of all this, your PR did work without breaking stuff & obviously made the audit pass so I think we can safely close this issue for now. Thanks again!

@bilthon bilthon closed this as completed Apr 14, 2023
@diazemiliano
Copy link
Collaborator

Great thanks, yes the vulnerability it's solved in version 6.0.1
The suggestion is to upgrade because it's more likely to have this fixes solved by the maintainers of nuxt or vue.
But we are fine now. Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@grunch @bilthon @diazemiliano