security issues in v7 dependencies

[willdurand]

> web-ext@7.5.0 audit-deps /home/circleci/web-ext
> node ./scripts/audit-deps

== audit-deps: blocking security issues

request (https://github.com/advisories/GHSA-p8p7-x288-28g6):
  2.88.2, paths: sign-addon>request

[Araxeus]

Shame that #2688 wasn't included in the last hotfix

@willdurand any ETA for when will a new version be released?

[hymccord]

@Araxeus That wouldn't help anyhow. sign-addon 6.0.0 still depends on request 2.88.2

[willdurand]

See also: #2822 (comment)

[aspiers]

It's not just request which is the issue here; sign-addon is no longer maintained.

[willdurand]

Yeah, sign-addon is no longer maintained because we're about to release web-ext v8.

[willdurand]

There is a new one:

jose (https://github.com/advisories/GHSA-hhhv-q57g-882q):
  4.13.1, paths: jose

[Rob--W]

Is #3106 a duplicate of this?

[willdurand]

Is #3106 a duplicate of this?

I think so, yeah

[GabenGar]

There is still a warning in v8.0.0, this time asking to downgrade to 5.3.0:

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix --force`
Will install web-ext@5.3.0, which is a breaking change
node_modules/express
  addons-scanner-utils  *
  Depends on vulnerable versions of express
  node_modules/addons-linter/node_modules/addons-scanner-utils
    addons-linter  >=2.11.0
    Depends on vulnerable versions of addons-scanner-utils
    node_modules/addons-linter
      web-ext  >=5.4.0
      Depends on vulnerable versions of addons-linter
      node_modules/web-ext

[willdurand]

I am not clear on how you are getting this, could you please paste the full command?

[GabenGar]

You can trigger this audit message if you install web-ext and express in the same project:

mkdir test
cd test
npm init --yes
npm install --save-dev web-ext
npm audit
npm install express@4.19.2
npm audit

Then clean up folder and install them in different order, thus proving express is not a sole source of the warning:

npm uninstall express web-ext
rm --recurse node_modules package-lock.json
npm install express@4.19.2
npm audit
npm install --save-dev web-ext
npm audit

Resorting to drastic measure of nuking node_modules and package-lock.json because I found the warning persists without doing it.
The source of the problem probably goes deeper than addons-linter, because the warning exists even with 8.1.0.

[Standard8]

Is there a reason why web-ext uses strict dependencies? For example, ws has a vulnerability in 8.17.0, but we can't automatically update to the minor version 8.17.1 that fixes it, because web-ext is specifying the strict dependency.

(if it is better to raise this in a new issue, I'm happy to do so).