Latest version of cli is pulling in insecure packages that have available patches
Closed this issue · 5 comments
Describe the bug
npm/cli#7356 - the use of a shrinkwrap means that even though there are available patches for these vulnerabilities, we're not able to install them.
Current vulnerabilities:
`npm audit` output as of 2024-04-23
❯ npm audit
# npm audit report
follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/follow-redirects
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/tar
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/word-wrap
3 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Steps to reproduce
- Install cli locally (
npm install netlify-cli
) - Run
npm audit
Configuration
No response
Environment
Does not matter
@sarahetter thanks for the quick turnaround on getting word-wrap
updated! To help, I've updated the description of this issue with the current vulnerabilities along with their dependabot PRs that'll address them - let me know if there's anything else I can do to make it easier to get these addressed
@sarahetter thanks for such a fast turn around - I've confirmed that the latest version of netlify-cli
is no longer pulling in vulnerabilities:
workspace/projects-scrap/net is 📦 v1.0.0 via v20.11.0
❯ npm outdated
Package Current Wanted Latest Location Depended by
netlify-cli 17.22.1 17.23.0 17.23.0 node_modules/netlify-cli net
workspace/projects-scrap/net is 📦 v1.0.0 via v20.11.0 took 2s
❯ npm update netlify-cli
added 37 packages, removed 5 packages, and changed 83 packages in 11s
workspace/projects-scrap/net is 📦 v1.0.0 via v20.11.0 took 10s
❯ npm audit
found 0 vulnerabilities
workspace/projects-scrap/net is 📦 v1.0.0 via v20.11.0
❯ osv-detector-t .
Loaded the following OSV databases:
npm (14443 vulnerabilities, including withdrawn - last updated Thu, 25 Apr 2024 22:49:44 GMT)
package-lock.json: found 1134 packages
Using db npm (14443 vulnerabilities, including withdrawn - last updated Thu, 25 Apr 2024 22:49:44 GMT)
no known vulnerabilities found
I assume you're happy for me to open a new issue with a similar format in future if new vulnerabilities come up, but let me know if there's another format you'd prefer 🙂
@G-Rath we've set up better tooling for us to notice these as they come up, thank you!
@sarahetter that new tooling doesn't seem to be working, since #6739 / #6704 has been open for a month now without any signs of attention from Netlify