Intern dependencies have vulnerabilities

Question

Intern dependencies have vulnerabilities

Biboba opened this issue 4 years ago · 5 comments

Expected behavior

Installing intern with npm install intern should not install packages containing known vulnerabilites.

Current behavior

Installing intern with npm install intern install packages containing 8 vulnerabilities (3 low, 5 high).
After installing intern and running npm audit, the following output is logged:

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install intern@4.2.4, which is a breaking change
node_modules/axios
  @theintern/common  *
  Depends on vulnerable versions of axios
  node_modules/@theintern/common
    @theintern/digdug  >=2.2.0
    Depends on vulnerable versions of @theintern/common
    node_modules/@theintern/digdug
    @theintern/leadfoot  >=2.2.0
    Depends on vulnerable versions of @theintern/common
    node_modules/@theintern/leadfoot
    intern  >=4.3.0
    Depends on vulnerable versions of @theintern/common
    Depends on vulnerable versions of handlebars
    node_modules/intern

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix --force`
Will install intern@4.2.4, which is a breaking change
node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist
    handlebars  3.0.0 - 4.7.3
    Depends on vulnerable versions of optimist
    node_modules/handlebars
      intern  >=4.3.0
      Depends on vulnerable versions of @theintern/common
      Depends on vulnerable versions of handlebars
      node_modules/intern

8 vulnerabilities (3 low, 5 high)

Possible solution

Update intern dependencies

Steps to reproduce (for bugs)

npm install intern
npm audit

Environment

Intern version: 4.9.0
Node version: 15.7.0
NPM version: 7.4.3
Browser version:

Additional information

Thanks for this library !

Answer 1 · 2021-03-17T01:05:48.000Z

@theintern/common has been updated to 0.2.4, which takes care of the significant vulnerabilities.

Answer 2 · 2021-03-18T07:44:20.000Z

Thanks for your quick reply and for the fix !
Indeed "high" vulnerabilities are now gone but still 4 low remains:

Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix --force`
Will install intern@4.8.0, which is a breaking change
node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist
    handlebars  3.0.0 - 4.7.3
    Depends on vulnerable versions of optimist
    node_modules/handlebars
      intern  4.3.6 || >=4.8.1
      Depends on vulnerable versions of handlebars
      node_modules/intern

Answer 3 · 2021-05-30T13:53:46.000Z

intern 4.9.0 has a dependency on handlebars ~4.5.3
handlebars 4.5.3 has a vulnerability in it (https://nvd.nist.gov/vuln/detail/CVE-2019-20920)

As the dependency is ~4.5.3 and not ^4.5.3 that precludes consumers from using handlebars 4.6.0 so they're stuck with the vulnerable version.

Answer 4 · 2021-06-24T14:06:44.000Z

I migrated away from this package because of this. More than 3 months with vulnerabilities? Umm… nice job.

Answer 5 · 2021-07-07T16:53:47.000Z

Dependencies are being updated, but as Dan Abramov recently pointed out, npm audit's results are frequently not meaningful.