browser-sync npm audit warning

[zachleat]

                      === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @11ty/eleventy [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @11ty/eleventy > browser-sync > localtunnel > yargs >        │
│               │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @11ty/eleventy [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @11ty/eleventy > browser-sync > yargs > yargs-parser         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

At time of opening (0.11.0 release day) we are on the latest version of browser-sync.

[karlyanelson]

I'm getting the same warnings for yargs-parser, with the addition of a High vulnerability warning for http-proxy

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @11ty/eleventy [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @11ty/eleventy > browser-sync > http-proxy                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1486                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (2 low, 1 high) in 533 scanned packages

[wasurocks]

Still not fixed as of now.

[zachleat]

Do note that browser-sync is intended for development purposes only—do not run this in production!

We are on the latest browser-sync. These have been filed upstream at browser-sync here:

• http-proxy denial of service vulnerability BrowserSync/browser-sync#1764
• yargs-parser vulnerability BrowserSync/browser-sync#1761

[sjml]

browser-sync looks like it might be unmaintained... hasn't had any commits in almost a year, and the maintainer seems like he has his plate pretty full with a dayjob.

A lot of other options for live reload (or it's not terribly hard to implement from scratch), but I'm guessing the actual syncing of pages between browsers is not something folks would want to give up (and is a far bigger pain to implement).

Since it's only on the dev side, maybe it's ok to wait for a bit and see if browser-sync updates, but it might be worth exploring other options in case that doesn't happen.

[besenwagen]

Another strategy would be to not tightly couple development utilities and core build functionality into a single package. That would also make use cases more flexible.

Example: I just gave it a try in a Node container with WSL. Browsersync watch doesn't work at all (quick search revealed a WSL fork in the npm registry) and prints useless info to the console (the Access URLs in a container are unlikely to be interesting unless you have an X server and browser installed there ;-).

PS: I came here because of the audit issue, I hadn't even configured/used the browsersync part until then.

[zachleat]

Filed #1305 to start the search for alternatives.

If we end up self implementing, I don’t think we’ll probably implement the ghost mode feature from browser-sync—at least not for the first release. Personally I don’t find it to be super valuable.

[saraspaudel]

Looks like a patch was issued for http-proxy DOS.

npm audit output

│ High │ Denial of Service │
│ Package │ http-proxy │
│ Patched in │ >=1.18.1 │
│ Dependency of │ @11ty/eleventy [dev] │
│ Path │ @11ty/eleventy > browser-sync > http-proxy │
│ More info │ https://npmjs.com/advisories/1486 │

[zachleat]

Yay BrowserSync/browser-sync#1764 was fixed

[zachleat]

Not sure why this is still open but I did double check that there are no audit vulnerabilities.

Closing!