Vulnerability in package dependency "eventsource"

[DaleGardner]

After installing the latest version of this package (v10.18.1) and running a security scan, there is an issue identified:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691

It comes from the "eventsource" dependency of this package, this is the chain:
@splitsoftware/splitio > eventsource > original > url-parse

I'm not able to pass in my pipeline as this is a required gate. If this could be updated or a replacement found, it would be very helpful so that this package can pass security scans.

[chillaq]

Hi @DaleGardner , thanks for the info, checking with the team.

[gsiwatch]

For now I think if we are using the yarn package then we can add the following as resolution to fix it temporarily at the client side:

"resolutions": {
    "url-parse": "1.5.10",
    "eventsource": "2.0.2"
},

[chillaq]

Thanks @gsiwatch, you can actually upgrade url-parse to "1.5.0", this will fix the issue.
You can also run "npm audit fix" or "npm_config_yes=true npx yarn-audit-fix"

[DaleGardner]

@chillaq This issue still remains though, it isn't fixed. Every consumer of this package would have to workaround this issue, instead of addressing the vulnerability here. This repo is the source of this dependency.

How is there any justification to close this issue as "completed"?

[chillaq]

Hi @DaleGardner, That is correct, we opted not to apply the fix on our side as the solution will impact streaming feature on some old versions of NodeJS. We will create a knowledge base article to document the workaround.

[DaleGardner]

@chillaq I see

We will not update EventSource dependency to v2 for now, because it implies dropping streaming support for NodeJS below v12.

• @EmilianoSanchez

Below v12? Even v12 is no longer supported: https://nodejs.org/en/about/releases/

Also, I see besides this issue there is one previously closed for the same, and now there is a new issue opened also on this same problem.

The fact of the matter is that for the majority of your base, who are adhering to best practices (using actively supported software), this package is effectively broken and requires workaround with the latest version (or would be critically vulnerable if someone does not follow the workaround).

Probably you should drop support for the unsupported node versions. But if not, the least action should be to fix this in the mainstream stable version (issue a new major version if needed) so it is default secure and working. This is a security issue after all, which should be taken seriously. Then issue a separate version branch for deprecated support for consumers of old node versions.

That's how pretty much all other libraries handle this situation, like node itself. They would have the v12 and keep releasing new versions on that tag, while simultaneously updating v14, and so forth.

[DaleGardner]

Tagging related:
#675
#678
#656
#677

[EmilianoSanchez]

Hi @DaleGardner,

We are going to update it soon. I just need to confirm with the team, because the update implies a breaking change, due to dropping support for Nodejs below version 12, which anyway, as you mentioned, are unmaintained now.

[aliwatters]

We have multiple teams/services impacted by this -- any eta?

Bumping major "version": "11.0.0", when you drop support for node v12 would be reasonable.

[EmilianoSanchez]

Hi @aliwatters . I am sorry for the delay, but we will release the fix next week.

[NicoZelaya]

Hi @DaleGardner and @aliwatters !

My name is Nicolas Zelaya and I work with the SDK team here at Split. May I ask one of you to try installing the SDKs currently latest version, 10.19.0 by running npm install @splitsoftware/splitio@latest and re-validate the vulnerability?

Our SDK was already compatible with eventsource 1.11.1 but this version also has the package-lock.json updated so you should get that specific version, as well as url-parse 10.15.10 which has the vulnerability already patched.
Eventsource 1.11.1 also fixes the vulnerability on issue #677.

Please do let us know if you still get it reported due to our SDK though, so we can pursue other alternatives.

Thanks in advance!
Nicolas.

[t0mdev]

That did it. After regenerating the package-lock.json eventsource 1.11.1 is used, which fixes the vulnerability. Thanks!