High Severity Vulnerbility in Rekit-core

[nrydevopswatch]

Hello,

Is there a workaround for this? It makes it unusable for our project as Rekit-Core currently includes "decompress" NPM package with a high severity vulnerability.

=== npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Write │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ decompress │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rekit-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ rekit-core > download-git-repo > download > decompress │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1217 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 2148395 scanned packages

[nrydevopswatch]

Here is the output from a scan using Snyk:

Tested 1870 dependencies for known issues, found 19 issues, 21 vulnerable paths.

Issues with no direct upgrade or patch:
✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Medium Severity][https://snyk.io/vuln/SNYK-JS-DECOMPRESS-557358] in decompress@4.2.0
introduced by rekit-core@3.0.0 > download-git-repo@1.1.0 > download@5.0.3 > decompress@4.2.0
No upgrade or patch available
✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Medium Severity][https://snyk.io/vuln/SNYK-JS-DECOMPRESSTAR-559095] in decompress-tar@4.1.1
introduced by rekit-core@3.0.0 > download-git-repo@1.1.0 > download@5.0.3 > decompress@4.2.0 > decompress-tar@4.1.1 and 2 other path(s)
No upgrade or patch available
✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-DOTPROP-543489] in dot-prop@4.2.0
introduced by sw-precache-webpack-plugin@1.0.0 > sw-precache@5.2.1 > update-notifier@2.5.0 > configstore@3.1.2 > dot-prop@4.2.0
This issue was fixed in versions: 5.1.1
✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-535497] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Out-of-Bounds [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-535498] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ NULL Pointer Dereference [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-535502] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Out-of-bounds Read [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540956] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540958] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Uncontrolled Recursion [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540964] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ NULL Pointer Dereference [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540974] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Denial of Service (DoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540978] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Denial of Service (DoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540980] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540990] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ NULL Pointer Dereference [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540992] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ NULL Pointer Dereference [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540994] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Out-of-bounds Read [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540996] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Out-of-Bounds [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-540998] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541000] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available
✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541002] in node-sass@4.13.1
introduced by node-sass-chokidar@1.4.0 > node-sass@4.13.1
No upgrade or patch available

Organization: nrydevopswatch
Package manager: npm
Target file: package-lock.json
Project name: blackbird-scanner
Open source: no
Project path: /home/rbruscoe/dev/blackbird-scanner
Licenses: enabled

Run snyk wizard to address these issues.

[supnate]

Hello, are you using rekit 2.x? For 3.x rekit-core is no longer a dependency of the projects.

[nrydevopswatch]

I'm using Rekit 3.0.0 and I followed the instructions to build it on your README.md for a new project.

[nrydevopswatch]

I just removed Rekit-Core 3.0.0 from the 'package.json'; deleted the 'package-lock.json' and the 'node_modules' folder. Then I did a fresh 'npm install' and tried to then do 'npm start' but it failed with several errors saying it could not find the 'rekit-core' dependency.