Security vulnerability in tunnel-agent

[SturmB]

You may already be aware of this issue, but I figured I'd post it here anyway, just in case I'm wrong. (I don't see it already posted.)

When running an npm audit on my Laravel project, I get several Moderate security vulnerabilities related to the tunnel-agent dependency. It seems there is a patch available, but it requires that you update caw so that it will use tunnel-agent version >=0.6.0:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ laravel-mix [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ laravel-mix > img-loader > imagemin-gifsicle > gifsicle >    │
│               │ bin-build > download > caw > tunnel-agent                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[migcarva]

Is there any eta to solve this issue? Are you guys accepting PR's?

[mattjbrent]

@migcarva The issue has been fixed in a PR in tunnel-agent but hasn't yet been updated on the NPM registry. Once this is done I don't mind making the PR.

[sumitzamadar]

Facing similar issues:

Moderate	Memory Exposure
Package	tunnel-agent
Patched in	>=0.6.0
Dependency of	gulp-imagemin [dev]
Path	gulp-imagemin > imagemin-gifsicle > gifsicle > bin-build > download > caw > tunnel-agent
More info	https://nodesecurity.io/advisories/598
------------	-------------
Package	tunnel-agent
Patched in	>=0.6.0
Dependency of	gulp-imagemin [dev]
Path	gulp-imagemin > imagemin-gifsicle > gifsicle > bin-wrapper > download > caw > tunnel-agent
More info	https://nodesecurity.io/advisories/598
------------	-------------
Package	tunnel-agent
Patched in	>=0.6.0
Dependency of	gulp-imagemin [dev]
Path	gulp-imagemin > imagemin-jpegtran > jpegtran-bin > bin-build > download > caw > tunnel-agent
More info	https://nodesecurity.io/advisories/598
------------	-------------
Package	tunnel-agent
Patched in	>=0.6.0
Dependency of	gulp-imagemin [dev]
Path	gulp-imagemin > imagemin-jpegtran > jpegtran-bin > bin-wrapper > download > caw > tunnel-agent
More info	https://nodesecurity.io/advisories/598
------------	-------------
Package	tunnel-agent
Patched in	>=0.6.0
Dependency of	gulp-imagemin [dev]
Path	gulp-imagemin > imagemin-optipng > optipng-bin > bin-build > download > caw > tunnel-agent
More info	https://nodesecurity.io/advisories/598
------------	-------------
Package	tunnel-agent
Patched in	>=0.6.0
Dependency of	gulp-imagemin [dev]
Path	gulp-imagemin > imagemin-optipng > optipng-bin > bin-wrapper > download > caw > tunnel-agent
More info	https://nodesecurity.io/advisories/598

[SalomonSmeke]

Last commit to tunnel-agent was in 2017, so im not sure if anyone is around to run npm publish. maybe its time to move to: https://github.com/koichik/node-tunnel, which seems to be the original package from which tunnel-agent was spawned anyways? It was updated 19 days ago as of this edit.

The interfaces look almost suspiciously similar.

Ive added a PR: #23

Other devs in the same boat:
Feel free to shrinkwrap my fork at that commit hash. Just let me know you did it so I never delete my fork. Obviously please test your use cases before you do.

If you feel uncomfortable doing that, feel free to fork my fork and pin that.

[creage]

Please, we need this fixed, nobody likes security warnings in their builds

[vtereshyn]

Any updates?

[nylen]

cc @kevva

[sp90]

Guys this is still not fixed in the tunnel-agent module, so until it gets fixed there this isn't changing 👍

[SalomonSmeke]

@sp90 there are at the very least two ways to fix this 😄:

• Shrinkwrap this repo and use the latest commit hash for tunnel agent as it’s source.

• Change the tunnel-agent dependency for node-tunnel (which is done in a pr to this repo already).

Neither require the tunnel-agent maintainer/owner to do anything.

[sp90]

@SalomonSmeke that is true 👍

[vtereshyn]

@SalomonSmeke can you please describe in more detail the actions you cited? Thank you in advance :)

[SalomonSmeke]

@vtereshyn absolutely! They're not much use to anyone except for the maintainer unfortunately but:

• Shrinkwrap this repo and use the latest commit hash for tunnel agent as it’s source.

https://docs.npmjs.com/cli/shrinkwrap allows you much tighter control over your NPM dependencies. You can even take nested dependencies and replace their versions.

https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions

explains it pretty well!

• Change the tunnel-agent dependency for node-tunnel (which is done in a pr to this repo already).

all that would need to happen here is the maintainer could accept my pull request here: #23

Edit:

While writing this, I realized that the maintainer would not have to shrink-wrap since the dependency isn't nested. They could instead replace their package.json to use the latest version of tunnel agent from the git repo.

[gajus]

Consider deprecating package in favour of https://github.com/gajus/global-agent