Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security update needed: mongodb #2079

Closed
abea opened this issue Nov 11, 2019 · 12 comments
Closed

Security update needed: mongodb #2079

abea opened this issue Nov 11, 2019 · 12 comments
Labels
bug

Comments

@abea
Copy link
Contributor

@abea abea commented Nov 11, 2019

npm audit is throwing high severity warnings for mongodb. It looks like we would need to update to mongodb@3.3.3 to resolve those, and we're currently on "mongodb": "^2.2.36". Clearly possible breaking changes.

We probably need to update apostrophe-db-mongo-3-driver as well, though easier there.

@abea abea added the bug label Nov 11, 2019
@boutell boutell closed this Nov 11, 2019
@abea

This comment has been minimized.

Copy link
Contributor Author

@abea abea commented Nov 11, 2019

Do we know the new warnings are the same thing? If they're whitelisted why would they still be flagged? The issue at the moment is that high severity warnings are being displayed, at the very least impacting comfort with the package.

@abea abea reopened this Nov 11, 2019
@abea abea closed this Nov 11, 2019
@abea abea reopened this Nov 11, 2019
@abea

This comment has been minimized.

Copy link
Contributor Author

@abea abea commented Nov 11, 2019

So I understand now we have the whitelist in Github for that audit warning. This was raised by someone in the forums, so I worry it's going to effect faith in the project.

@boutell

This comment has been minimized.

Copy link
Member

@boutell boutell commented Nov 11, 2019

@boutell

This comment has been minimized.

Copy link
Member

@boutell boutell commented Nov 21, 2019

I opened an RFC on this. It's an upstream issue we can't fix here (short of a bc break).

@boutell boutell closed this Nov 21, 2019
@bobclewell

This comment has been minimized.

Copy link
Collaborator

@bobclewell bobclewell commented Nov 25, 2019

@boutell Am I reading this right? It was whitelisted to hide it which worked for a certain version, but then un-whitelisted again?

@abea

This comment has been minimized.

Copy link
Contributor Author

@abea abea commented Nov 25, 2019

I think the whitelist is only for Github. So Github has its own security warnings, which are suppressed by whitelisting. There's no such whitelisting for NPM, so that warning remains.

@boutell

This comment has been minimized.

Copy link
Member

@boutell boutell commented Nov 25, 2019

Yes, this is a bad developer relations problem. cc @agilbert @localghost443

There is no whitelist for github and no whitelist for npm audit... there's just a whitelist we created for our own "npm run audit" project level npm task, which generates a JSON report from npm audit, removes anything on our own whitelist, and decides whether there is still a problem. This is great for our own use in regression testing but completely unsatisfying psychologically for developers, who are still being scared off every time they "npm install" for the first time.

These are the possible resolutions:

  • Convince npm to implement a safelist feature (as discussed with them by many parties, it may happen)
  • Write a 100% 2.x driver compatible wrapper for the 3.x driver, and use that in apostrophe 2.x. There are backwards incompatible differences, we would have to wrap them all, or enough, and use this audit failure as justification for small frustrations resulting from our actions
  • Finish apostrophe 3.x, making this an issue only for the much smaller audience that will be doing long term 2.x support and likely be patient with explanations like this one
@boutell boutell reopened this Nov 25, 2019
@boutell

This comment has been minimized.

Copy link
Member

@boutell boutell commented Nov 25, 2019

(We have already written an optional apostrophe-mongo-3-driver module, but it requires changes to the developer's code because it doesn't try to paper over all of the incompatibilities. Also having it present in your project won't stifle the audit error because both versions of the module are then installed.)

@stuartromanek

This comment has been minimized.

Copy link
Member

@stuartromanek stuartromanek commented Nov 26, 2019

@boutell can you ballpark the effort on point 2: 100% 2.x driver compatible wrapper for the 3.x driver ?

@boutell

This comment has been minimized.

Copy link
Member

@boutell boutell commented Nov 26, 2019

@boutell

This comment has been minimized.

Copy link
Member

@boutell boutell commented Jan 2, 2020

This got done, with emulate-mongo-2-driver.

@boutell boutell closed this Jan 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.