Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Npm audit throws several vulnerabilities #589

Closed
rab1 opened this issue Jun 22, 2024 · 4 comments
Closed

Npm audit throws several vulnerabilities #589

rab1 opened this issue Jun 22, 2024 · 4 comments

Comments

@rab1
Copy link

rab1 commented Jun 22, 2024

I have installed latest package "jscodeshift": "^0.16.0", and executed npm audit.. it throws

7 vulnerabilities (3 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

See detailed errors on

{
"auditReportVersion": 2,
"vulnerabilities": {
  "babel-core": {
    "name": "babel-core",
    "severity": "critical",
    "isDirect": false,
    "via": [
      "babel-helpers",
      "babel-register",
      "babel-template",
      "babel-traverse",
      "json5"
    ],
    "effects": [
      "babel-register",
      "jscodeshift"
    ],
    "range": "5.8.20 - 7.0.0-beta.3",
    "nodes": [
      "node_modules/babel-core"
    ],
    "fixAvailable": {
      "name": "jscodeshift",
      "version": "0.15.2",
      "isSemVerMajor": true
    }
  },
  "babel-helpers": {
    "name": "babel-helpers",
    "severity": "critical",
    "isDirect": false,
    "via": [
      "babel-template"
    ],
    "effects": [],
    "range": "*",
    "nodes": [
      "node_modules/babel-helpers"
    ],
    "fixAvailable": true
  },
  "babel-register": {
    "name": "babel-register",
    "severity": "high",
    "isDirect": false,
    "via": [
      "babel-core"
    ],
    "effects": [
      "babel-core"
    ],
    "range": "*",
    "nodes": [
      "node_modules/babel-register"
    ],
    "fixAvailable": {
      "name": "jscodeshift",
      "version": "0.15.2",
      "isSemVerMajor": true
    }
  },
  "babel-template": {
    "name": "babel-template",
    "severity": "critical",
    "isDirect": false,
    "via": [
      "babel-traverse"
    ],
    "effects": [
      "babel-helpers"
    ],
    "range": "*",
    "nodes": [
      "node_modules/babel-template"
    ],
    "fixAvailable": true
  },
  "babel-traverse": {
    "name": "babel-traverse",
    "severity": "critical",
    "isDirect": false,
    "via": [
      {
        "source": 1096879,
        "name": "babel-traverse",
        "dependency": "babel-traverse",
        "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
        "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
        "severity": "critical",
        "cwe": [
          "CWE-184",
          "CWE-697"
        ],
        "cvss": {
          "score": 9.4,
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
        },
        "range": "<7.23.2"
      }
    ],
    "effects": [
      "babel-core",
      "babel-template"
    ],
    "range": "*",
    "nodes": [
      "node_modules/babel-traverse"
    ],
    "fixAvailable": {
      "name": "jscodeshift",
      "version": "0.15.2",
      "isSemVerMajor": true
    }
  },
  "jscodeshift": {
    "name": "jscodeshift",
    "severity": "high",
    "isDirect": true,
    "via": [
      "babel-core"
    ],
    "effects": [],
    "range": "0.3.5 - 0.3.20 || >=0.16.0",
    "nodes": [
      "node_modules/jscodeshift"
    ],
    "fixAvailable": {
      "name": "jscodeshift",
      "version": "0.15.2",
      "isSemVerMajor": true
    }
  },
  "json5": {
    "name": "json5",
    "severity": "high",
    "isDirect": false,
    "via": [
      {
        "source": 1096543,
        "name": "json5",
        "dependency": "json5",
        "title": "Prototype Pollution in JSON5 via Parse Method",
        "url": "https://github.com/advisories/GHSA-9c47-m6qq-7p4h",
        "severity": "high",
        "cwe": [
          "CWE-1321"
        ],
        "cvss": {
          "score": 7.1,
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"
        },
        "range": "<1.0.2"
      }
    ],
    "effects": [
      "babel-core"
    ],
    "range": "<1.0.2",
    "nodes": [
      "node_modules/babel-core/node_modules/json5"
    ],
    "fixAvailable": {
      "name": "jscodeshift",
      "version": "0.15.2",
      "isSemVerMajor": true
    }
  }
},
"metadata": {
  "vulnerabilities": {
    "info": 0,
    "low": 0,
    "moderate": 0,
    "high": 3,
    "critical": 4,
    "total": 7
  },
  "dependencies": {
    "prod": 182,
    "dev": 0,
    "optional": 0,
    "peer": 0,
    "peerOptional": 0,
    "total": 181
  }
}
}

Any can advise on this ?
SevereCloud added a commit to VKCOM/VKUI that referenced this issue Jun 24, 2024
@SevereCloud
revert: Bump jscodeshift from 0.15.2 to 0.16.0
3be15aa 
- revert #7053
- see facebook/jscodeshift#589
@SevereCloud SevereCloud mentioned this issue Jun 24, 2024
Merged
SevereCloud added a commit to VKCOM/VKUI that referenced this issue Jun 24, 2024
@SevereCloud
revert: Bump jscodeshift from 0.15.2 to 0.16.0 (#7065)
3302be9 
- revert #7053
- see facebook/jscodeshift#589
@Daniel15
Copy link
Member

The risk is very minimal given the fact that the entire point of jscodeshift is to run user-supplied code, but we can bump the dependencies to resolve this issue.

@rab1
Copy link
Author

rab1 commented Jun 25, 2024

@Daniel15 Could you bump the version and make patch release ?

@Daniel15
Copy link
Member

Yes, I'll bump it tomorrow.

@Daniel15
Copy link
Member

Daniel15 commented Jun 25, 2024
edited
Loading

I figured out what happened. #588 bumped the babel-core dependency from 7.0.0-bridge.0 to 6.26.3, I guess since technically it's newer. This caused the security alerts to fire since all babel versions <7.23.2 have the issue.

The security warning is not a problem for jscodeshift though, since babel-core v6 is not actually used in jscodeshift. The only reference to babel-core instead of @babel/core was in the code that outputs the version when you run jscodeshift --version.

I updated that code to use @babel/core and removed the old babel-core package.

I've published a new package with the babel-core dependency removed as v0.16.1.

@trivikr trivikr mentioned this issue Jul 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Daniel15 @rab1