Latest version of cli is pulling in insecure packages that have available patches

Question

Latest version of cli is pulling in insecure packages that have available patches

Closed this issue 3 months ago · 5 comments

Describe the bug

npm/cli#7356 - the use of a shrinkwrap means that even though there are available patches for these vulnerabilities, we're not able to install them.

Current vulnerabilities:

follow-redirects v1.15.1 (#6446)
- GHSA-cxjh-pqwp-8mfp
- GHSA-jchw-25xp-jwwc
tar v6.1.15 (#6504)
- GHSA-f5x3-32g6-xq36
word-wrap v1.2.3 (#5895)
- GHSA-j8xg-fqg3-53r7

`npm audit` output as of 2024-04-23

❯ npm audit
# npm audit report

follow-redirects  <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/follow-redirects

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/tar

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/word-wrap

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Steps to reproduce

Install cli locally (npm install netlify-cli)
Run npm audit

Configuration

No response

Environment

Does not matter

Answer 1 · 2024-04-21T22:53:57.000Z

Now there's a vulnerability in tar to update too: #6504

Answer 2 · 2024-04-22T21:21:32.000Z

@sarahetter thanks for the quick turnaround on getting word-wrap updated! To help, I've updated the description of this issue with the current vulnerabilities along with their dependabot PRs that'll address them - let me know if there's anything else I can do to make it easier to get these addressed

Answer 3 · 2024-04-25T22:52:26.000Z

@sarahetter thanks for such a fast turn around - I've confirmed that the latest version of netlify-cli is no longer pulling in vulnerabilities:

workspace/projects-scrap/net is 📦 v1.0.0 via  v20.11.0
❯ npm outdated
Package      Current   Wanted   Latest  Location                  Depended by
netlify-cli  17.22.1  17.23.0  17.23.0  node_modules/netlify-cli  net

workspace/projects-scrap/net is 📦 v1.0.0 via  v20.11.0 took 2s
❯ npm update netlify-cli

added 37 packages, removed 5 packages, and changed 83 packages in 11s

workspace/projects-scrap/net is 📦 v1.0.0 via  v20.11.0 took 10s
❯ npm audit
found 0 vulnerabilities

workspace/projects-scrap/net is 📦 v1.0.0 via  v20.11.0
❯ osv-detector-t .
Loaded the following OSV databases:
  npm (14443 vulnerabilities, including withdrawn - last updated Thu, 25 Apr 2024 22:49:44 GMT)

package-lock.json: found 1134 packages
  Using db npm (14443 vulnerabilities, including withdrawn - last updated Thu, 25 Apr 2024 22:49:44 GMT)

  no known vulnerabilities found

I assume you're happy for me to open a new issue with a similar format in future if new vulnerabilities come up, but let me know if there's another format you'd prefer 🙂

Answer 4 · 2024-05-01T15:50:24.000Z

@G-Rath we've set up better tooling for us to notice these as they come up, thank you!

Answer 5 · 2024-07-26T21:07:44.000Z

@sarahetter that new tooling doesn't seem to be working, since #6739 / #6704 has been open for a month now without any signs of attention from Netlify