PR for Static Analysis Tool retire.js #29
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Find Documentation on Retire.js here: https://retirejs.github.io/retire.js/
Retire.js see packag.json changes, these demonstrate that that retire.js was successfully installed.
When running: npx retire > retire-output.txt
This identified multiple potential vulnerabilities with the new tool. The output was robust, but concluded with a recommendations section:
Recommendation
Upgrade to version 1.9.0 or later., CVE: CVE-2020-7656, githubID: GHSA-q4m3-2j7h-f7xw; GHSA-q4m3-2j7h-f7xw https://nvd.nist.gov/vuln/detail/CVE-2020-7656 https://research.insecurelabs.org/jquery/test/ severity: medium; summary: 3rd party CORS request may execute, issue: 2432, CVE: CVE-2015-9251, githubID: GHSA-rmxg-73gg-4p98; http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ https://bugs.jquery.com/ticket/11974 GHSA-rmxg-73gg-4p98 jquery/jquery#2432 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 severity: low; summary: jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates, retid: 73, issue: 162; jquery/jquery.com#162 severity: medium; summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution, CVE: CVE-2019-11358, PR: 4333, githubID: GHSA-6c3j-c64m-qhgq; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ jquery/jquery@753d591 https://nvd.nist.gov/vuln/detail/CVE-2019-11358 severity: medium; summary: passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code., CVE: CVE-2020-11023, issue: 4647, githubID: GHSA-jpcq-cgw6-v4j6; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ severity: medium; summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS, CVE: CVE-2020-11022, issue: 4642, githubID: GHSA-gxr4-xjj5-5px2; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
/Users/micha/Documents/17313/nodebb-f24-team-craig-street-chipotle/node_modules/nodebb-plugin-emoji/build/acp/admin.js
↳ svelte 4.2.0
svelte 4.2.0 has known vulnerabilities: severity: medium; summary: Svelte has a potential mXSS vulnerability due to improper HTML escaping, CVE: CVE-2024-45047, githubID: GHSA-8266-84wp-wv5c; GHSA-8266-84wp-wv5c GHSA-8266-84wp-wv5c https://nvd.nist.gov/vuln/detail/CVE-2024-45047 sveltejs/svelte@83e96e0 https://github.com/sveltejs/svelte
Summary
From this output some of the main concerns are:
I. Summary, we could benefit greatly from upgrading some of the current tools to protect stability, as well as conduct unit testing for some of the vulnerabilities listed.