Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1 vulnerability required manual review and could not be updated #10176

Open
usama-asfar opened this issue Jul 7, 2019 · 4 comments

Comments

Projects
None yet
5 participants
@usama-asfar
Copy link

commented Jul 7, 2019

OS: ubuntu 18.04.2 LTS
NPM: 6.9.0
babel-cli: "^6.26.0",

usama@usama:~/Documents/Project/Back-End/apollo-gql-api$ npm audit fix
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

up to date in 10.115s
fixed 0 of 1 vulnerability in 3834 scanned packages
  1 vulnerability required manual review and could not be updated


usama@usama:~/Documents/Project/Back-End/apollo-gql-api$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ babel-cli > chokidar > anymatch > micromatch > braces        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 3834 scanned packages
  1 vulnerability requires manual review. See the full report for details.


@babel-bot

This comment has been minimized.

Copy link
Collaborator

commented Jul 7, 2019

Hey @usama-asfar! We really appreciate you taking the time to report an issue. The collaborators
on this project attempt to help as many people as possible, but we're a limited number of volunteers,
so it's possible this won't be addressed swiftly.

If you need any help, or just have general Babel or JavaScript questions, we have a vibrant Slack
community
that typically always has someone willing to help. You can sign-up here
for an invite.

@jpike88

This comment has been minimized.

Copy link

commented Jul 12, 2019

This should be as simple as a dependency update...?

@nicolo-ribaudo

This comment has been minimized.

Copy link
Member

commented Jul 12, 2019

Yes, but we will only release new v6 versions for critical security vulnerabilities. This has been fixed in Babel 7.

This vulnerability only affects babel-cli --watch'. Since babel-cli --watch is only used during developmenet/deployment, and the only way an attacker could use this vulnerability to DoS you is by changing the paths you are passing to Babel as a cli argument.

It should run something like this:

babel --watch FAKE_FS_GLOB_WITH_MALICIOUS_{}_GROUPING

But if the attacker can run an arbitrary command, you have bigger problems 😛

For this reason, this vulnerability is even lower for Babel users than how it is specified in the report.

For reference, this is the braces bug fix: micromatch/braces@abdafb0

@JLHwung

This comment has been minimized.

Copy link
Contributor

commented Jul 12, 2019

I have setup a repo, installed babel/cli 7.5 and it turns out there are 22 prototype pollution reports comes from chokidar 2 only.

Recently chokidar has released v3 with far less dependencies and better performance. Hopefully we can get rid of the affected dependency by upgrading chokidar to v3.

However, chokidar v3 dropped Node.js 6 support, which should be a reason why we would not update chokidar to v3 on Babel 7.

@nicolo-ribaudo Should we target chokidar v3 upgrade to Babel 8?

@nicolo-ribaudo nicolo-ribaudo added i: 6.0 and removed i: bug labels Jul 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.