Hitting numerous npm audit issues when creating strapi app on Ubuntu 20

[mwoodpatrick]

Bug report

Describe the bug

When creating the quickstart app on Ubuntu 20.04.2 LTS (Digital Ocean or WSL-2) node v14.17.0 (npm/npx v6.14.13):

npx create-strapi-app strapi --quickstart  2>&1 | tee strapi_install.log

Then cd'ing into strapi and running

npm i

I get

found 52 vulnerabilities (7 moderate, 45 high)
run npm audit fix to fix them, or npm audit for details

and then running npm audit:

npm audit --parseable 2>&1 | tee npm_audit.log

I get the attached results:

npm_audit.log

Running:

npm audit fix

gives:

npm WARN @buffetjs/utils@3.3.6 requires a peer of yup@^0.27.0 but none is installed. You must install peer dependencies yourself.
npm WARN bootstrap@4.6.0 requires a peer of jquery@1.9.1 - 3 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/watchpack-chokidar2/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/webpack-dev-server/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

up to date in 14.092s

109 packages are looking for funding
run npm fund for details

fixed 0 of 52 vulnerabilities in 1666 scanned packages
52 vulnerabilities required manual review and could not be updated

[derrickmehaffy]

npm audit fix

This is never a good idea, there are many packages that do not follow proper semver (Strapi packages included) and it doesn't take into account packages that should be the same version as their partners (all Strapi maintained packages). Nor does it take into account breaking changes in various packages (some of which are in that audit, like yup and lodash).

The existence of a vulnerability does not inherently mean there is a problem, most of those on that list are simple prototype pollution and require some very specific (and in most cases, impossible) conditions to apply. We are already working on a few them such as my PR to fix the yup one: #10351

None of the lodash vuln code is any that we use, and the postcss is basically impossible to actually reproduce the proof of concept since it's just css.

---

You should actively review the actual responses of the audit, and in most cases you will see why we are not diverting the team to fix them as they are non-issues. The severity of a npm vulnerability is missing two other key points are Probability/Likelyhood and Impact beyond the standard Risk.

In all of the cases listed in your audit log, the only thing that npm audit checks for is risk and provides no information about impact or probability.

I will keep this issue open for a bit to let the rest of the maintainers weigh in on it, but I strongly advise against ever just blindly running an npm audit fix, you should just do a normal npm audit or yarn audit and do the research on the issues (while also looking each packages own change logs, say for example the yup changelog: https://github.com/jquense/yup/blob/master/CHANGELOG.md)

[mwoodpatrick]

Many thanks for the info much appreciated. I don't normally run npm audit fix this was purely experimental and was prompted by all the issues I was seeing. What Penetration Testing - Security Vulnerability Testing is currently done for strappi?

[derrickmehaffy]

Many thanks for the info much appreciated. I don't normally run npm audit fix this was purely experimental and was prompted by all the issues I was seeing. What Penetration Testing - Security Vulnerability Testing is currently done for strappi?

We don't do pen-testing as that implies testing a deployed application, for vuln scanning we use Snyk

[derrickmehaffy]

You can see some of the tests being ran on any PR:

[mwoodpatrick]

Many thanks for the information, very much appreciated

[derrickmehaffy]

This issue has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/strapi-3-6-5-vulnerabilities/5995/2