jQuery 3.4.0 reported as having vulnerability, but current Snyk DB shows that it's fine #8409
Comments
|
Yup everything you're saying looks correct. Snyk originally said this vuln affected ALL versions of jQuery. (The vulnerability in question) Team, we may have to ship a LH 4.3.1 to fix this. :/ |
|
@lirantal do you know why the jquery prototype pollution bug was originally marked as affecting all versions? Also do you know why we only got the revised vuln range 2 weeks later? |
|
3.4.0 is the newest jquery, so I guess snyk publishes vulns for newest versions of libs as * to catch future releases w/o the bug fix? eb0cc68#diff-7413e898991773eb5c8e74ee5458818bR60 was 15 days ago, pre jquery 4.3.0, so "*" was technically correct. But it doesn't play well with how we use snyk has a dependency. Any way we could change how we consume snyk to live-update the vuln database (w/o a release)? |
|
@hoten @paulirish 👋 does that explain it? |
|
Thanks for the explanation.
Looking at the dates, new jquery was shipped april 10th. I guess we just got unlucky with the bot's (apparent) weekly schedule? At the very least we'll be a lot more careful when we see vuln ranges that are "*" or ">=X". |
|
Since we ship to places we can't necessarily quickly update (e.g. DevTools), I wonder if we should have a LH test that fails if the database has The theory would be: if a new, still vulnerable version of the library comes out after that LH release, then it's better to have a false negative (given that there's no fix available anyways and there are other sources (github, npm, greenkeeper, etc) that will warn folks) than it is to have up to 12 weeks of a false positive (if a new, non-vulnerable version comes out) which would annoy folks and encourage them to ignore Lighthouse's warnings in the future. |
|
Big +1 to @brendankenny's solution. I'd much prefer a few temporary false negatives to some way to dynamically update LH from a remote URL we don't really have much control over. |
|
Indeed the weekly scheduled has missed it by a bit, and I also agree with @brendankenny as this is something we also do in the Node.js Security WG (use a <= upper boundary of last known version vs a * although tbh maybe for Node.js we should change that). Another thing to consider is perhaps to bump the update time to happen less than every week but I'm not sure what are the constraints for that (cc @aviadatsnyk) |
|
I don't know what the full considerations are, but we're happy to move to a model where users download the vulnerability snapshot from us (our CDN, obviously) on a regular basis, instead of getting it bundled. That way the info used would be more recent. |
|
Another option is just for us to open the vulnerabilities update PRs daily instead of weekly, if that is something that you think might work better. |
|
Thanks for the ideas @aviadatsnyk! The problem is we have several environments where it's not really an option to dynamically update from a remote URL, so even more frequent PRs wouldn't address this specific issue. |
brendankenny
changed the title
paulirish
changed the title
|
We fixed this with 4.3.1. Preventing a similar situation is tracked in #8748. |
Running Lighthouse 4.3.0 on Chrome Canary Version 75.0.3769.0 (Official Build) canary (64-bit).
OS: Windows 8.1
Site tested: https://ronsanfordproductions.com
Lighthouse complains:
However, according to the Snyk vulnerability DB, which is referenced as the source for the vulnerability check, jQuery@3.4.0 is free of vulnerabilities. See:
https://snyk.io/vuln/npm:jquery
So, Lighthouse isn't reading the current info from Snyk when disapproving of jQuery 3.4.0, it seems. This seems to be a bug.
The text was updated successfully, but these errors were encountered: