Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: checkly-cli install is introducing dependabot issues #945

Open
slmoore opened this issue Apr 10, 2024 · 0 comments
Open

bug: checkly-cli install is introducing dependabot issues #945

slmoore opened this issue Apr 10, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@slmoore
Copy link

slmoore commented Apr 10, 2024

Node.js version

20.12.1

NPM version

10.5.0

@checkly/cli version

4.6.3

Steps to reproduce

Hi Checkly team!

Running npm i --save-dev checkly is installing the dependency ip with version 2.0.0 and tar with version 6.2.0. This introduces audit and dependabot alerts.
GHSA-78xj-cgh5-2h22
GHSA-f5x3-32g6-xq36

Steps to reproduce, on a clean repo without any dependencies or dev dependencies -

npm i --save-dev checkly
npm WARN deprecated @oclif/screen@3.0.8: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

added 304 packages, and audited 531 packages in 13s

85 packages are looking for funding
  run `npm fund` for details

5 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Here is the npm audit report

npm audit
# npm audit report

ip  2.0.0
Severity: moderate
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/npm/node_modules/ip

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install checkly@4.5.2, which is a breaking change
node_modules/npm/node_modules/tar
  npm  <=10.5.0
  Depends on vulnerable versions of tar
  node_modules/npm
    @oclif/plugin-plugins  >=3.0.1
    Depends on vulnerable versions of npm
    node_modules/@oclif/plugin-plugins
      checkly  <=0.0.0-pr.944.98770dd || >=4.6.0-prerelease
      Depends on vulnerable versions of @oclif/plugin-plugins
      node_modules/checkly

5 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Running npm audit fix results in the same audit errors

npm audit fix
npm WARN audit fix ip@2.0.0 node_modules/npm/node_modules/ip
npm WARN audit fix ip@2.0.0 is a bundled dependency of
npm WARN audit fix ip@2.0.0 npm@10.2.3 at node_modules/npm
npm WARN audit fix ip@2.0.0 It cannot be fixed automatically.
npm WARN audit fix ip@2.0.0 Check for updates to the npm package.
npm WARN audit fix tar@6.2.0 node_modules/npm/node_modules/tar
npm WARN audit fix tar@6.2.0 is a bundled dependency of
npm WARN audit fix tar@6.2.0 npm@10.2.3 at node_modules/npm
npm WARN audit fix tar@6.2.0 It cannot be fixed automatically.
npm WARN audit fix tar@6.2.0 Check for updates to the npm package.

up to date, audited 531 packages in 2s

85 packages are looking for funding
  run `npm fund` for details

# npm audit report

ip  2.0.0
Severity: moderate
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/npm/node_modules/ip

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install checkly@4.5.2, which is a breaking change
node_modules/npm/node_modules/tar
  npm  <=10.5.0
  Depends on vulnerable versions of tar
  node_modules/npm
    @oclif/plugin-plugins  >=3.0.1
    Depends on vulnerable versions of npm
    node_modules/@oclif/plugin-plugins
      checkly  <=0.0.0-pr.944.98770dd || >=4.6.0-prerelease
      Depends on vulnerable versions of @oclif/plugin-plugins
      node_modules/checkly

5 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Thanks!

What is expected?

The ip and tar dependency versions would match the patched versions that are safe to use.

What is actually happening?

The ip and tar dependency versions are not the patched versions.

Any additional comments?

No response
@slmoore slmoore added the bug Something isn't working label Apr 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@slmoore