dot-prop 4.2.0 still part of nodejs - security issue

[dominopetter]

I am going to apologize in advance if this is the wrong place to submit this issue.

Using Prisma Cloud to scan nodejs shows that module dot-prop is part of the LTS release. It specifically shows that CVE-2020-8116 - dot-prop version 4.2.0 is part of it. Now, a clean install of nodejs in a minimal docker image (For the purpose of troubleshooting this) is very confusing.

FROM ubuntu:18.04
RUN apt-get update && apt-get upgrade -y && apt-get install -y curl sudo
RUN curl -sL https://deb.nodesource.com/setup_lts.x | sudo -E bash -
RUN apt-get update && apt-get install -y nodejs

Scanning this for security issues show (using twistcli from Palo Alto Networks) shows that this contains dot-prop, CVE-2020-8116 - dot-prop version 4.2.0.

Running a simple npm ls show that this contains no modules and even upgrading/installing dot-prop to the latest version has no effect.

Is there a version of dot-prop hiding inside the nodejs install somewhere or am I dealing with a false positive here?

Thanks
Petter

[dominopetter]

Being this is my first ever try to dig down something like this I am finding things out as I go. After installing LTS I am finding:

npm list -g
| | +-- dot-prop@4.2.0

[dominopetter]

Trying to update this global package has zero effect.

npm update --depth 9999 -g
npm outdated -g
npm update -g dot-prop
npm list -g --depth 9999

Using the list command still shows dot-prop 4.2.0.

[dominopetter]

After some manual removal of the dot-prop module I got the scan to not see this as an issue anymore. However, this seems to be a needed module so when re-installing it globally I run into this issue:

/usr/lib
+-- dot-prop@5.2.0
`-- npm@6.14.7
  `-- update-notifier@2.5.0
    `-- configstore@3.1.2
      `-- dot-prop@4.2.0

I am misunderstanding how this works I think. If there are some dependencies on this module how I can I ever get rid of it? Will it always be a security risk? Or more likely, I am not understanding how this works.

[dominopetter]

Looking at the /usr/lib/node_modules/npm/node_modules/dot-prop/package.json file this still specifies 4.2.0. Not sure why this is packaged with this version of nodejs?

[dominopetter]

Manually downloading 5.2.0 and unpacking it to /usr/lib/node_modules/npm/node_modules/dot-prop/package.json updated this from hell module but who knows if that will work.

[dominopetter]

Ok, I ran:

npm update -g

It of course re-installs dot-prop 4.2.0. This MUST be a known issue?

[igsu]

@dominopetter unfortunately, this is not the place to solve this issue. We only take care of packaging the binaries and distributing them, this may be the right place.