Skip to content

Commit

Permalink
fix(security): remove ip override (#1860)
Browse files Browse the repository at this point in the history 
* fix(security): remove ip override

- upgrade storybook
- remove other non required overrides
- update overrides docs

Issue: #1767

---------

Co-authored-by: Klaus Keller <66327622+Klaus-Keller@users.noreply.github.com>
  • Loading branch information
@donal-tobin-sap @Klaus-Keller
donal-tobin-sap and Klaus-Keller committed Apr 30, 2024
1 parent 40b91f9 commit 2c4de8c
Show file tree
Hide file tree
Showing 4 changed files with 1,261 additions and 356 deletions.
79 changes: 7 additions & 72 deletions docs/version-overrides.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ This document lists the version overrides for vulnerable (nested) dependencies a
:warning: Attention :warning:
* `@adobe/css-tools`` is used in packages/ui-components > `@testing-library/jest-dom`, which can't be updated to the very latest version due peer dependency to react 18.

```
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate │ Axios Cross-Site Request Forgery Vulnerability │
├─────────────────────┼────────────────────────────────────────────────────────┤
Expand All @@ -38,82 +39,13 @@ This document lists the version overrides for vulnerable (nested) dependencies a
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-wf5p-g6vw-rhxx │
└─────────────────────┴────────────────────────────────────────────────────────┘
```

Fix not available yet with latest @nrwl/nx-cloud

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate │ follow-redirects' Proxy-Authorization header kept │
│ │ across hosts │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ follow-redirects │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=1.15.5 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=1.15.6 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ . > @nrwl/nx-cloud@16.5.2 > nx-cloud@16.5.2 > │
│ │ axios@1.6.1 > follow-redirects@1.15.4 │
│ │ │
│ │ . > nx@16.4.0 > axios@1.6.1 > follow-redirects@1.15.4 │
│ │ │
│ │ examples\odata-cli > │
│ │ @sap-ux/axios-extension@link:../../packages/axios- │
│ │ extension > │
│ │ @sap-ux/btp-utils@link:../../packages/btp-utils > │
│ │ axios@1.6.1 > follow-redirects@1.15.4 │
│ │ │
│ │ ... Found 72 paths, run `pnpm why follow-redirects`
│ │ for more information │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
└─────────────────────┴────────────────────────────────────────────────────────┘

`follows-redirects upgrade` achieved by `axios` upgrade to 1.6.8

No fix for `@sap/bas-sdk` to upgrade `axios` to get the latest `follow-redirects` yet.

No fix available for `http-proxy` to upgrade to latest `follow-redirects`

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate │ NPM IP package incorrectly identifies some private IP │
│ │ addresses as public │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ ip │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ =2.0.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=2.0.1 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ packages\ui-components > storybook@7.4.3 > │
│ │ @storybook/cli@7.4.3 > @storybook/core-server@7.4.3 > │
│ │ ip@2.0.0 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-78xj-cgh5-2h22
└─────────────────────┴────────────────────────────────────────────────────────┘

`socks` updated to no longer use `ip`, but `socks-proxy-agent` not upgraded to use the latest `socks`

`@storybook/core-server` involves major version upgrade to consume the `ip` module fix

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high │ Path traversal in webpack-dev-middleware │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ webpack-dev-middleware │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=6.0.0 <6.1.2 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=6.1.2 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ packages/ui-components > │
│ │ @storybook/react-webpack5@7.4.3 > │
│ │ @storybook/builder-webpack5@7.4.3 > │
│ │ webpack-dev-middleware@6.1.1 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
└─────────────────────┴────────────────────────────────────────────────────────┘

No fix available for `@storybook/builder-webpack5` to upgrade to latest `webpack-dev-middleware`

```
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate │ Denial of service while parsing a tar file due to lack │
│ │ of folders count validation │
Expand All @@ -140,4 +72,7 @@ No fix available for `@storybook/builder-webpack5` to upgrade to latest `webpack
│ │ information │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-f5x3-32g6-xq36 │
└─────────────────────┴────────────────────────────────────────────────────────┘
└─────────────────────┴────────────────────────────────────────────────────────┘
```

Fix not available yet with latest @nrwl/nx-cloud
8 changes: 2 additions & 6 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,12 +64,8 @@
"overrides": {
"@testing-library/jest-dom>@adobe/css-tools@<4.3.2": ">=4.3.2",
"nx-cloud>axios@<1.6.8": ">=1.6.8",
"@sap/bas-sdk>axios@<1.6.8": ">=1.6.8",
"http-proxy>follow-redirects@<1.15.6": ">=1.15.6",
"socks-proxy-agent>socks@<2.8.1": ">=2.8.1",
"ip@<2.0.1": ">=2.0.1",
"webpack-dev-middleware": ">=6.1.2",
"tar@<6.2.1": ">=6.2.1"
"nx-cloud>tar@<6.2.1": ">=6.2.1",
"@sap/bas-sdk>axios@<1.6.8": ">=1.6.8"
}
}
}
2 changes: 1 addition & 1 deletion packages/ui-components/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
"require-from-string": "2.0.2",
"sass": "1.66.1",
"sass-loader": "13.3.2",
"storybook": "7.4.3",
"storybook": "7.6.18",
"storybook-addon-turbo-build": "2.0.1",
"style-loader": "3.3.3",
"ts-loader": "9.4.4",
Expand Down

0 comments on commit 2c4de8c

Please sign in to comment.