Security issue: please update Acorn

[Pomax]

                       === npm audit security report ===                        

                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    
                                                                                
  Path            jest > @jest/core > @jest/reporters > jest-runtime >          
                  jest-config > jest-environment-jsdom > jsdom > acorn-globals  
                  > acorn                                                       
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    

  Path            jest > jest-cli > @jest/core > @jest/reporters >              
                  jest-runtime > jest-config > jest-environment-jsdom > jsdom   
                  > acorn-globals > acorn                                       
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    
                                                                                
  Path            jest > @jest/core > jest-runner > jest-jasmine2 >             
                  jest-runtime > jest-config > jest-environment-jsdom > jsdom   
                  > acorn-globals > acorn                                       
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    
                                                                                
  Path            jest > jest-cli > @jest/core > jest-runner > jest-jasmine2 >  
                  jest-runtime > jest-config > jest-environment-jsdom > jsdom   
                  > acorn-globals > acorn                                       
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    
                                                                                
  Path            jest > @jest/core > jest-runner > jest-runtime > jest-config  
                  > jest-environment-jsdom > jsdom > acorn-globals > acorn      
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
  [...snip...]

[hjr3]

I believe the root issue is with acorn-globals, which is has an acorn v6 dependency in the package.json.

The latest jsdom package.json depends on acorn-globals v4.3.4 which is the latest release. The overall jest ecosystem depends on jsdom, so it gets dragged into this mess.

[juergenzimmermann]

When the dependency of jsdom is upgraded from ^15.1.1 to ^16.2.0 (see https://github.com/facebook/jest/blob/master/packages/jest-environment-jsdom/package.json#L18) then the indirect dependency of acorn will be ^7.1.0 (instead of ^6.1.1). Finally 7.1.1 has the security fix.

[tunnckoCore]

For anyone having this:

yarn add ForbesLindesay/acorn-globals#greenkeeper/acorn-7.1.1
# or if in monorepo setup
yarn add -W ForbesLindesay/acorn-globals#greenkeeper/acorn-7.1.1

# or npm
npm i ForbesLindesay/acorn-globals#greenkeeper/acorn-7.1.1

Until ForbesLindesay/acorn-globals#50 or ForbesLindesay/acorn-globals#56 (@EmmaGoodliffe's) get merged.

[tunnckoCore]

FWIW acorn-globals@6.0.0 is published.

[railsstudent]

jsdom 16.2.1 is released and acorn is upgraded to 7.1.1
https://github.com/jsdom/jsdom/blob/master/package.json#L24

Thanks

[pratiksawant10]

@railsstudent Can you please help me with the steps to fix this issue?

[SimenB]

Upgrading JSDOM is a breaking change, so it won't be done until the next major. You can use jest-environment-jsdom-sixteen if you want to use a version of JSDOM without the "vulnerability", but npm will still complain as Jest itself depends on jsdom@15 and will for the duration of jest@25.

This is yet another case of npm complaining about regex dos attacks against a dev dependency, so 0% chance of it being exploited 🤷‍♂

[SimenB]

That said, I'm not getting this warning?

$ docker run -it node:13-alpine sh -c 'mkdir dir; cd dir; npm init -y; npm i -D jest; npm audit'
Wrote to /dir/package.json:

{
  "name": "dir",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.2 (node_modules/jest-haste-map/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN dir@1.0.0 No description
npm WARN dir@1.0.0 No repository field.

+ jest@25.1.0
added 486 packages from 285 contributors and audited 1203821 packages in 23.344s

23 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities


                       === npm audit security report ===

found 0 vulnerabilities
 in 1203821 scanned packages

[RiZKiT]

@SimenB Together with the "kind-of" dependency vulnerability mentioned in #9648 (which is closed as duplicate), it looks a bit different in our project:
found 39465 vulnerabilities (39451 low, 14 moderate) in 1223109 scanned packages

Where almost all results are coming from jest. Two days ago it were 0 vulnerabilities.

[hjr3]

The fix was backported to acorn 6.4.1 here. At the time of this writing, new installs should not have any reported vulns.

If you have an existing install, make sure you are using the latest version of jest 25.1.0. You can run npm audit fix or whatever the yarn equivalent is.

I believe this issue should now be closed.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.