Vulnerable dependancy

[robinMcA]

Bug Report

Description

If a yarn or npm audit is part of the CI/CD builds will fail.
Raising the issue here because there has been no action on the issue in the library.

1. What did you do?
   npm audit or yarn audit
2. What happened?
   serverless fails because of this https://www.npmjs.com/advisories/1217
3. What should've happened?
   serverless passes
4. What's the content of your serverless.yml file?
   N/A
5. What's the output you get when you use the SLS_DEBUG=* environment variable (e.g. SLS_DEBUG=* serverless deploy)
   N/A

Similar or dependent issues:

• Vulnerable to zip slip kevva/decompress#71

[medikoo]

@robinMcA thanks for reporting.

PR that patches that in a framework is highly welcome

[medikoo]

cc @richarddd (dependency on decompress was added with latest docker invocation improvements)

[robinMcA]

Looks like the issue will be in download as well, download use

[Nikhilkapoor20]

any update on this guys ?

[medikoo]

I've opened also issue at download: kevva/download#189

I'd give a moment for package authors to recover. If that'll turn dragging I believe we need to replace them with alternatives.

[singhemant]

Shouldn't you change it in your package.json?

serverless/package.json

Line 173 in 0ed52f6

"decompress": "^4.2.0",

&

serverless/package.json

Line 174 in 0ed52f6

"download": "^7.1.0",

[rajbir123]

Any update resolution on this guys?

[em0ney]

Any news? It looks like decompress is no longer maintained. Any plans to move to an alternative?

[medikoo]

Any news? It looks like decompress is no longer maintained. Any plans to move to an alternative?

It's quite easy to get rid of decompress (it's question of reverting part of f6d9bfd)

Still we also depend on download (which depends on decompress).

PR that reliably get rids of both of those dependencies is welcome!

[bhtandev]

Hi, unsure if I should create another brand new issue or tag into this existing issue since this issue's title seem generic enough. ( my first time )

There are 2 more security vulnerable dependencies. minimalist and dot-prop found by SYNK on top of decompress.

Both can be easily remediated by

1. Upgrading mkdirp package which uses minimalist.
2. Upgrading update-notifier which uses dot-prop.

[richarddd]

Hi everyone!

Let's replace decompress with something else! Maybe https://www.npmjs.com/package/adm-zip
?

[Nikhilkapoor20]

any update on this ?

[medikoo]

There are 2 more security vulnerable dependencies

@bhtandev for that I've created another dedicated issue: #7486

[medikoo]

Maybe https://www.npmjs.com/package/adm-zip
?

@richarddd that'll be great. Still just replacing decompress won't fix it. We also need to replace download (which uses decompress as well)

[medikoo]

There's a decompress fork: https://github.com/Atomic-Reactor/decompress that apparently has a fix. However we still need to replace download as well.

[neverendingqs]

It looks like the original package also got an update: kevva/decompress#73 (comment)

[neverendingqs]

PR to merge the change into download: kevva/download#192

[neverendingqs]

The latest versions of both decompress and download should resolve this issue. The NPM advisory has been updated as well: https://www.npmjs.com/advisories/1217

[preshetin]

@neverendingqs thanks! I'll prepare the PR that updates both decompress and download dependencies

[medikoo]

It's great to hear that! With next release (coming today or on Monday latest) we'll have those dependencies bumped.

[medikoo]

Closing as that was addressed with one of latest releases