Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerabilities found in dependencies #1623

Closed
10 tasks
DanielRuf opened this issue Oct 25, 2018 · 6 comments
Closed
10 tasks

vulnerabilities found in dependencies #1623

DanielRuf opened this issue Oct 25, 2018 · 6 comments

Comments

@DanielRuf
Copy link

Issue details

snyk found some vulnerabilities in dependencies of browser-sync.

✗ Low severity vulnerability found in braces
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/npm:braces:20180219
  Introduced through: browser-sync@2.26.3, gulp-load-plugins@1.5.0, gulp-cli@1.4.0, panini@1.5.1, webpack@2.7.0, gulp-imagemin@2.4.0, gulp@4.0.0-alpha.3, webpack-stream@3.2.0
  From: browser-sync@2.26.3 > micromatch@2.3.11 > braces@1.8.5
  From: gulp-load-plugins@1.5.0 > micromatch@2.3.11 > braces@1.8.5
  From: gulp-load-plugins@1.5.0 > findup-sync@0.4.3 > micromatch@2.3.11 > braces@1.8.5
  and 22 more...
  Remediation:
    Your dependencies are out of date, otherwise you would be using a newer version of braces. 
    Try deleting node_modules, reinstalling and running `snyk test` again. If the problem persists, one of your dependencies may be bundling outdated modules.

✗ Medium severity vulnerability found in ua-parser-js
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/npm:ua-parser-js:20180227
  Introduced through: browser-sync@2.26.3
  From: browser-sync@2.26.3 > ua-parser-js@0.7.17

✗ Medium severity vulnerability found in chownr
  Description: Time of Check Time of Use (TOCTOU)
  Info: https://snyk.io/vuln/npm:chownr:20180731
  Introduced through: browser-sync@2.26.3, gulp@4.0.0-alpha.3, webpack@2.7.0, webpack-stream@3.2.0
  From: browser-sync@2.26.3 > chokidar@2.0.4 > fsevents@1.2.4 > node-pre-gyp@0.10.3 > tar@4.4.6 > chownr@1.1.1
  From: gulp@4.0.0-alpha.3 > glob-watcher@4.0.0 > chokidar@1.7.0 > fsevents@1.2.4 > node-pre-gyp@0.10.3 > tar@4.4.6 > chownr@1.1.1
  From: webpack@2.7.0 > watchpack@1.4.0 > chokidar@1.7.0 > fsevents@1.2.4 > node-pre-gyp@0.10.3 > tar@4.4.6 > chownr@1.1.1
  and 1 more...

Steps to reproduce/test case

Run a snyk audit against the latest version of browser-sync.

Please specify which version of Browsersync, node and npm you're running

  • Browsersync [ ]
  • Node [ ]
  • Npm [ ]

Affected platforms

  • linux
  • windows
  • OS X
  • freebsd
  • solaris
  • other (please specify which)

Browsersync use-case

  • API
  • Gulp
  • Grunt
  • CLI
@Berkmann18
Copy link

Berkmann18 commented Dec 31, 2018
edited

I'm facing the same issue.

✗ Low severity vulnerability found in braces
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/npm:braces:20180219
  Introduced through: browser-sync@2.26.3
  From: browser-sync@2.26.3 > micromatch@2.3.11 > braces@1.8.5
✗ Medium severity vulnerability found in ua-parser-js
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/npm:ua-parser-js:20180227
  Introduced through: browser-sync@2.26.3
  From: browser-sync@2.26.3 > ua-parser-js@0.7.17
✗ Medium severity vulnerability found in chownr
  Description: Time of Check Time of Use (TOCTOU)
  Info: https://snyk.io/vuln/npm:chownr:20180731
  Introduced through: browser-sync@2.26.3
  From: browser-sync@2.26.3 > chokidar@2.0.4 > fsevents@1.2.4 > node-pre-gyp@0.10.0 > tar@4.4.1 > chownr@1.0.1

This is taken from a TravisCI build which also show up on GNU/Linux.

@DanielRuf
Copy link
Author

In general these are no critical issues for the dev build on your side and solutions which are not using the vulnerable code in production.

@Berkmann18
Copy link

Berkmann18 commented Dec 31, 2018
edited

@DanielRuf True, but the output above is shown from a project that uses BrowserSync as a dependency so it's definitely a production matter.
Mind you, I could just ignore that or remove that dependency and use something but that would be unnecessarily annoying.

@DanielRuf
Copy link
Author

BrowserSync as a dependency so it's definitely a production matter.

Not as devDependency like it is recommended? You can install also just the normal dependencies (exact command switches depend on the used tool).

@Berkmann18 Berkmann18 mentioned this issue Dec 31, 2018
Closed
@Berkmann18
Copy link

@DanielRuf I would have used it as a devDependency if I didn't have to do things like:

let browserOn = server.app.get('browser') || process.env.BROWSER;
if (browserOn && cfg.opts.useHttps) {
  require('browser-sync')({
    proxy: `localhost:${cfg.port}`,
    files: ['public/**/*.{js,css}']
  });
}

In a server file where I use an NPM script as follows:

"browser": "BROWSER=true node ./bin/w3.js",

But then, there's probably a better way which would avoid having to worry about the several vulnerabilities this package had since I started using it.

@shakyShane
Copy link
Contributor

fixed in 2.26.4 :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

upgrade(Security): Updated the vulnerable dependencies Berkmann18/browser-sync
3 participants
@DanielRuf @shakyShane @Berkmann18