Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable dependencies #2764

Open
oskarwilliams opened this issue May 10, 2024 · 0 comments
Open

Vulnerable dependencies #2764

oskarwilliams opened this issue May 10, 2024 · 0 comments

Comments

@oskarwilliams
Copy link

oskarwilliams commented May 10, 2024
edited

Description

The balena-cli when installed via npm currently includes 39 vulnerabilities, including 2 critical, which are non patchable. Some of these include using a sub dependency that was last published 10 years ago (optimist). Could some of these vulnerabilities be assessed and looked at?

Expected Behavior

In the ideal world, 0 vulnerabilities when the package is installed with NPM

Actual Behavior

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical) and many deprecated packages

Steps to Reproduce the Problem

  1. npm init with just defaults
  2. npm install balena-cli
  3. The below output
❯ npm install balena-cli
npm WARN skipping integrity check for git dependency ssh://git@github.com/balena-io-modules/unbzip2-stream.git 
npm WARN skipping integrity check for git dependency ssh://git@github.com/resin-io-modules/multicast-dns.git 
npm WARN skipping integrity check for git dependency ssh://git@github.com/balena-io-modules/bonjour.git 
npm WARN deprecated @types/nock@11.1.0: This is a stub types definition. nock provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/is-root@2.1.2: This is a stub types definition. is-root provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/cli-truncate@2.0.0: This is a stub types definition. cli-truncate provides its own type definitions, so you do not need this installed.
npm WARN deprecated readdir-scoped-modules@1.1.0: This functionality has been moved to @npmcli/fs
npm WARN deprecated debuglog@1.0.1: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request-promise@4.2.6: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated superagent@5.3.1: Please upgrade to v7.0.2+ of superagent.  We have fixed numerous issues with streams, form-data, attach(), filesystem errors not bubbling up (ENOENT on attach()), and all tests are now passing.  See the releases tab for more information at <https://github.com/visionmedia/superagent/releases>.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@3.20.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 2139 packages, and audited 2140 packages in 15s

104 packages are looking for funding
  run `npm fund` for details

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
  1. Output of npm audit is
# npm audit report

bl  <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/ghauth/node_modules/bl
  ghauth  <=3.2.1
  Depends on vulnerable versions of bl
  node_modules/balena-cli/node_modules/ghauth

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/express

follow-redirects  <=1.15.5
Severity: moderate
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/follow-redirects

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/balena-cli/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/balena-cli/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/balena-cli/node_modules/update-notifier

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/jsonwebtoken

lodash  <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer/node_modules/lodash
  inquirer  <=0.11.4
  Depends on vulnerable versions of lodash
  node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer

lodash.template  *
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/lodash.template
  @oclif/plugin-warn-if-update-available  1.7.0 || 2.0.0 || 2.1.0 - 3.0.16
  Depends on vulnerable versions of lodash.template
  node_modules/balena-cli/node_modules/@oclif/plugin-warn-if-update-available

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/minimatch
  mocha  5.1.0 - 9.2.1
  Depends on vulnerable versions of minimatch
  Depends on vulnerable versions of nanoid
  node_modules/balena-cli/node_modules/mocha

minimist  <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
No fix available
node_modules/balena-cli/node_modules/optimist/node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/balena-cli/node_modules/optimist
    dbus-native  *
    Depends on vulnerable versions of optimist
    Depends on vulnerable versions of put
    Depends on vulnerable versions of xml2js
    node_modules/balena-cli/node_modules/dbus-native
      resin-discoverable-services  >=2.0.0
      Depends on vulnerable versions of dbus-native
      node_modules/balena-cli/node_modules/resin-discoverable-services
        balena-cli  *
        Depends on vulnerable versions of @balena/compose
        Depends on vulnerable versions of balena-preload
        Depends on vulnerable versions of request
        Depends on vulnerable versions of resin-discoverable-services
        Depends on vulnerable versions of update-notifier
        node_modules/balena-cli

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/nanoid

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/balena-cli/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/balena-cli/node_modules/svgo
      inline-source  6.1.0 - 7.2.0
      Depends on vulnerable versions of svgo
      node_modules/balena-cli/node_modules/inline-source
        inline-source-cli  >=2.0.0
        Depends on vulnerable versions of inline-source
        node_modules/balena-cli/node_modules/inline-source-cli

put  *
Sensitive Data Exposure in put - https://github.com/advisories/GHSA-v6gv-fg46-h89j
No fix available
node_modules/balena-cli/node_modules/put

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/balena-cli/node_modules/request
  @balena/compose  *
  Depends on vulnerable versions of pinejs-client-request
  Depends on vulnerable versions of request
  node_modules/balena-cli/node_modules/@balena/compose
  balena-preload  >=10.3.2-233-sh-truncate-exc-feff27b0a0cd5e8ce93564e8a8a25727bd7acffa
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise
  node_modules/balena-cli/node_modules/balena-preload
  pinejs-client-request  *
  Depends on vulnerable versions of request
  node_modules/balena-cli/node_modules/pinejs-client-request
  publish-release  *
  Depends on vulnerable versions of ghauth
  Depends on vulnerable versions of inquirer
  Depends on vulnerable versions of request
  node_modules/balena-cli/node_modules/publish-release
  request-promise  >=0.0.2
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise-core
  Depends on vulnerable versions of tough-cookie
  node_modules/balena-cli/node_modules/request-promise
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/balena-cli/node_modules/request-promise-core

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/tar

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/balena-cli/node_modules/tough-cookie

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/balena-cli/node_modules/meow

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/balena-cli/node_modules/dbus-native/node_modules/xml2js

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@oskarwilliams