Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

6 high severity vulnerabilities when running npm install netlify-cms-app #6513

Open
amyhenke opened this issue Jul 12, 2022 · 9 comments
Open

6 high severity vulnerabilities when running npm install netlify-cms-app #6513

amyhenke opened this issue Jul 12, 2022 · 9 comments
Labels
pinned

Comments

@amyhenke
Copy link 

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
No fix available
node_modules/trim
  mdast-util-to-hast  <=6.0.2
  Depends on vulnerable versions of trim
  node_modules/netlify-cms-widget-markdown/node_modules/mdast-util-to-hast
    remark-rehype  <=5.0.0
    Depends on vulnerable versions of mdast-util-to-hast
    node_modules/netlify-cms-widget-markdown/node_modules/remark-rehype
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/netlify-cms-widget-markdown/node_modules/remark-parse
    netlify-cms-widget-markdown  *
    Depends on vulnerable versions of remark-parse
    node_modules/netlify-cms-widget-markdown
      netlify-cms-app  *
      Depends on vulnerable versions of netlify-cms-widget-markdown
      node_modules/netlify-cms-app

Are there any plans to upgrade these packages? Also reported here: https://snyk.io/test/npm/netlify-cms
@changethe
Copy link

this also makes installing the netlify-cms-media-library-uploadcare package fail.

@tomhermans
Copy link

Yup, came here to report the same. netlifycms unusable atm

@amanifarooque
Copy link

Following this issue as well. This vulnerability was reported via Dependabot 10 months ago - are there plans to resolve?

@tomasz13nocon
Copy link

I know there's work being done to refactor and revive the project, but since this is a security vuln, I hope for this to be a top priority.

@jcweaver
Copy link

Following this issue as well. Still experiencing this reported issue as of 6/12/2023

@schaefsteven schaefsteven mentioned this issue Aug 30, 2023
Closed
@kl-ma
Copy link

kl-ma commented Dec 5, 2023

There is also a vulnerability reported for validate-package when installing the latest version of decap-cms:

✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-VALIDATECOLOR-2935878] in validate-color@2.2.4
    introduced by decap-cms-app@3.0.12 > decap-cms-widget-colorstring@3.0.2 > validate-color@2.2.4
  No upgrade or patch available

@martinjagodic martinjagodic mentioned this issue Dec 6, 2023
Closed
@afredericksansait
Copy link

Same issue as well in 2024

@andreasnilssondev
Copy link

andreasnilssondev commented Apr 11, 2024
edited
Loading

Since this has been open for a while I might have a look to see if it's easy to add a PR for this

@andreasnilssondev
Copy link

Since this has been open for a while I might have a look to see if it's easy to add a PR for this

UPDATE: Unfortunately it's not so easy. I think it's a bit too much for a first-time contributor (like me). But I'll gather everything including release info links below to hopefully make it easier for the next person who wants to tackle this.

The concerned package is decap-cms-widget-markdown

Step 1: remark-rehype

remark-rehype is currently v4 and needs a major bump to v6.

  1. remark-rehype v5 release info: (It only updates mdast-util-to-hast from v4 to v6)
    1. mdast-util-to-hast v5 release info and mdast-util-to-hast v6 release info. Some minor changes that are difficult to identify if they will affect decap-cms or not.
  2. remark-rehype v6 release info (The only (potentially) breaking is upgrading mdast-util-to-hast from v6 to v8
    1. mdast-util-to-hast v7 release info (trim dependency is removed here)
      1. updates unist-util-visit and unist-builder from v1 to v2: unist-util-visit v2 release info and unist-builder v2 release info both updates their typings only.
    2. mdast-util-to-hast v8 release info (updates mdast-util-definitions from v1 to v2, potentially breaking with typescript)
      1. mdast-util-definitions v2 release info (updates unist-util-visit from v1 to v2)
        1. unist-util-visit v2 release info (updates types only, potentially breaking types)
  • Command run: npm install remark-rehype@6 -w decap-cms-widget-markdown
  • Test results: Pass ✅

Step 2: remark-parse

remark-parse is currently v6 and needs a bump to v9

  1. remark-parse v7 release info ("the fixes are technically breaking but you’re likely fine.")
  2. remark-parse v8 release info (some breaking changes for links and footnotes (hard to tell if it affects decap-cms or not)
  3. remark-parse v9 release info (Very large update of remark (v13) to use micromark)
    1. remark v13 release info There's a lot of things to go through here but I'm stuck already at the first point:
      1. It says to "Update all the remark* packages you are using in package.json" (unsure exactly which ones and to what version)
  • Command run: npm install remark-parse@9 -w decap-cms-widget-markdown
  • Test results: Fail ❌ (46 failing tests)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pinned
Projects
Priority Issues
Status: Selected for Development
Milestone
No milestone
Development

No branches or pull requests
10 participants
@tomhermans @jcweaver @amanifarooque @changethe @tomasz13nocon @andreasnilssondev @afredericksansait @amyhenke @martinjagodic @kl-ma