Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[@wordpress/script]jest-dev-server has some severity vulnerabilities #56069

Open
stein2nd opened this issue Nov 13, 2023 · 1 comment
Open

[@wordpress/script]jest-dev-server has some severity vulnerabilities #56069

stein2nd opened this issue Nov 13, 2023 · 1 comment
Labels
[Package] Scripts /packages/scripts [Type] Bug An existing feature does not function as intended [Type] Security Related to security concerns or efforts

Comments

@stein2nd
Copy link

Description

The "npm audit" just said severity vulnerabilities:

axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install @wordpress/scripts@18.0.1, which is a breaking change
node_modules/axios
wait-on >=5.0.0-rc.0
Depends on vulnerable versions of axios
node_modules/wait-on
jest-dev-server >=5.0.0
Depends on vulnerable versions of wait-on
node_modules/jest-dev-server
@wordpress/scripts >=18.1.0
Depends on vulnerable versions of jest-dev-server
node_modules/@wordpress/scripts

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Step-by-step reproduction instructions

Delete the "node_modules" folder and "package-lock.json".
Next, execute "ncu", "ncu -u", "npm install --force", and "npm audit" in order.

Screenshots, screen recording, code snippet

image

Environment info

System:

  • OS: macOS 14.1.1
  • CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
  • Memory: 135.64 MB / 32.00 GB
  • Shell: 3.2.57 - /bin/bash

Binaries:

  • Node: 21.1.0 - ~/.nodebrew/current/bin/node
  • Yarn: 1.22.19 - ~/.nodebrew/current/bin/yarn
  • npm: 10.2.3 - ~/.nodebrew/current/bin/npm
  • pnpm: 8.6.12 - ~/.nodebrew/current/bin/pnpm

npmPackages:

  • @wordpress/scripts: ^26.16.0 => 26.16.0

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

No
@stein2nd stein2nd added the [Type] Bug An existing feature does not function as intended label Nov 13, 2023
@t-hamano t-hamano added [Package] Scripts /packages/scripts [Type] Security Related to security concerns or efforts labels Nov 13, 2023
@galbus
Copy link

galbus commented Nov 16, 2023

In our plugin repo Dependabot reports this vulnerability, and it cannot cannot create a security update to fix it.

Dependabot cannot update axios to a non-vulnerable version
The latest possible version that can be installed is 0.25.0 because of the following conflicting dependency:

@wordpress/scripts@26.16.0 requires axios@^0.25.0 via a transitive dependency on wait-on@6.0.1

We tried temporarily switching from yarn to npm and running the suggested npm audit fix --force command, but for our project this only resulted in many more security vulnerabilities being reported (27 new ones).

@flootr flootr mentioned this issue Nov 27, 2023
Merged
@flootr flootr self-assigned this Nov 27, 2023
@anthonyburchell anthonyburchell mentioned this issue Nov 27, 2023
Open
@flootr flootr removed their assignment Jan 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
[Package] Scripts /packages/scripts [Type] Bug An existing feature does not function as intended [Type] Security Related to security concerns or efforts
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stein2nd @galbus @flootr @t-hamano