Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vscode NPM package is causing a diff security issue #75732

Closed
queeniema opened this issue Jun 19, 2019 · 5 comments · Fixed by cake-build/cake-vscode#242, dbalas/vscode-html2pug#38, ahkohd/vscode-tweet#30, chocolatey-community/chocolatey-vscode#253 or yoshinorin/vscode-current-file-path-extension#89
Closed

vscode NPM package is causing a diff security issue #75732

queeniema opened this issue Jun 19, 2019 · 5 comments · Fixed by cake-build/cake-vscode#242, dbalas/vscode-html2pug#38, ahkohd/vscode-tweet#30, chocolatey-community/chocolatey-vscode#253 or yoshinorin/vscode-current-file-path-extension#89
Assignees
@octref
Labels
engineering VS Code - Build / issue tracking / etc.
Milestone
June 2019

Comments

@queeniema
Copy link

Issue Type: Bug

GitHub reported a security vulnerability related to the diff NPM package in my VS Code extension's package-lock.json.

Screen Shot 2019-06-18 at 5 49 45 PM

In my VS Code extension's package.json, I've added a dependency for vscode:

"devDependencies": {
  ...
 "vscode": "^1.1.34",
  ...
}

When I run npm ls diff to see what packages are using diff, I see this:

Screen Shot 2019-06-18 at 5 49 23 PM

And I see this reflected in my package-lock.json:

"vscode": {
  "version": "1.1.34",
  "resolved": "https://registry.npmjs.org/vscode/-/vscode-1.1.34.tgz",
  "integrity": "sha512-GuT3tCT2N5Qp26VG4C+iGmWMgg/MuqtY5G5TSOT3U/X6pgjM9LFulJEeqpyf6gdzpI4VyU3ZN/lWPo54UFPuQg==",
  "dev": true,
  "requires": {
    "glob": "^7.1.2",
    "mocha": "^4.0.1",
    "request": "^2.88.0",
    "semver": "^5.4.1",
    "source-map-support": "^0.5.0",
    "url-parse": "^1.4.4",
    "vscode-test": "^0.4.1"
  },
  "dependencies": {
    ...
    "diff": {
      "version": "3.3.1",
      "resolved": "https://registry.npmjs.org/diff/-/diff-3.3.1.tgz",
      "integrity": "sha512-MKPHZDMB0o6yHyDryUOScqZibp914ksXwAMYMTHj6KO8UeKsRYNJD3oNCKjTqZon+V488P7N/HzXF8t7ZR95ww==",
      "dev": true
    },
    ...
  }
}

VS Code version: Code 1.35.1 (c7d83e5, 2019-06-12T14:29:22.216Z)
OS version: Darwin x64 18.6.0

System Info
Item Value
CPUs Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz (8 x 2500)
GPU Status 2d_canvas: enabled
checker_imaging: disabled_off
flash_3d: enabled
flash_stage3d: enabled
flash_stage3d_baseline: enabled
gpu_compositing: enabled
multiple_raster_threads: enabled_on
native_gpu_memory_buffers: enabled
rasterization: enabled
surface_synchronization: enabled_on
video_decode: enabled
webgl: enabled
webgl2: enabled
Load (avg) 3, 3, 3
Memory (System) 16.00GB (0.11GB free)
Process Argv
Screen Reader no
VM 0%
Extensions (15)
Extension Author (truncated) Version
vscode-css-formatter aes 1.0.1
npm-intellisense chr 1.3.0
path-intellisense chr 1.4.2
bracket-pair-colorizer Coe 1.0.61
vscode-eslint dba 1.9.0
gitlens eam 9.8.2
vscode-npm-script eg2 0.3.7
auto-rename-tag for 0.1.0
beautify Hoo 1.5.0
ibm-streams IBM 0.5.0
vscode-duplicate mrm 1.2.1
java red 0.46.0
change-case wma 1.0.0
JavaScriptSnippets xab 1.7.2
ReactSnippets xab 2.3.0
@vscodebot vscodebot bot added the terminal Integrated terminal issues label Jun 19, 2019
@Tyriar Tyriar assigned octref and unassigned Tyriar Jun 19, 2019
@Tyriar Tyriar removed the terminal Integrated terminal issues label Jun 19, 2019
@octref octref added this to the June 2019 milestone Jun 19, 2019
@octref octref added the engineering VS Code - Build / issue tracking / etc. label Jun 19, 2019
@queeniema queeniema mentioned this issue Jun 19, 2019
Closed
@octref octref modified the milestones: June 2019, July 2019 Jun 24, 2019
@octref octref mentioned this issue Jun 25, 2019
Closed
@octref
Copy link
Contributor

octref commented Jun 25, 2019

Seems @vscode NPM org is taken by someone :(
https://www.npmjs.com/org/vscode

I'm now forking mocha to update diff to fix security alert

Wondering what I should do

  • 1️⃣ Publish it under @octref/mocha
  • 2️⃣ Make vscode depends on octref/mocha on GitHub
  • 3️⃣ We should create a NPM org for these kind of packages

@bpasero What do you think?

@Tyriar
Copy link
Member

Tyriar commented Jun 25, 2019

@octref can't we just update to mocha 5 or 6 in the vscode module?

@bpasero
Copy link
Member

bpasero commented Jun 26, 2019

@octref will talk to you in chat

@octref
Copy link
Contributor

octref commented Jun 26, 2019

Ah, I thought Mocha 5/6 would have breaking changes so we can't really upgrade easily.
Turns out Mocha 5 only had one breaking change: Drop IE9/10 support. It shouldn't affect us.
Meanwhile if someone really needs Mocha 4. He can use vscode-test and manually depends on it.

Will upgrade to Mocha 5.

@bpasero
Copy link
Member

bpasero commented Jun 27, 2019

Thanks

This was referenced Aug 1, 2019
Closed
Merged
Merged
Merged
Closed
Merged
Closed
Merged
Closed
Closed
Closed
This was referenced Aug 1, 2019
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
@dependabot-preview dependabot-preview bot mentioned this issue Aug 9, 2019
Closed
@vscodebot vscodebot bot locked and limited conversation to collaborators Aug 10, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@octref octref

Labels
engineering VS Code - Build / issue tracking / etc.
Projects
None yet
Milestone
June 2019
4 participants
@bpasero @Tyriar @queeniema @octref