Skip to content
This repository has been archived by the owner on Apr 13, 2023. It is now read-only.

Medium security vulnerability with gatsby-plugin-printer dependencies #127

Open
heitorlessa opened this issue Jun 24, 2020 · 6 comments
Open

Comments

@heitorlessa
Copy link

heitorlessa commented Jun 24, 2020

Hey team,

I'm getting CVE alerts about semver and bl dependencies that are used by gatsby-plugin-printer all the way down to LevelUp who removed that as a dependency.

Is there anything I can help to get this sorted?

Update: I'm using the latest version "gatsby-theme-apollo-docs": "^4.2.11"

Thanks a lot!

@heitorlessa
Copy link
Author

heitorlessa commented Jun 24, 2020

Npm audit output

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.3.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-theme-apollo-docs                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-theme-apollo-docs > gatsby-plugin-printer >           │
│               │ rollup-plugin-node-builtins > browserify-fs > levelup >      │
│               │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/31                              │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ bl                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.9.5 <1.0.0 || >=1.0.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-theme-apollo-docs                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-theme-apollo-docs > gatsby-plugin-printer >           │
│               │ rollup-plugin-node-builtins > browserify-fs > levelup > bl   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/596                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Dependency trail issue tracker:

@srepollock
Copy link

To be honest, browserify-as' owner doesn't appear to be available to merge. Update the dependency to my version (in the PR) for an updated version.

@trevorblades
Copy link
Contributor

@srepollock did you release your own version of browserify-fs? I'm looking at the PR but it's not clear to me what I need to install.

@srepollock
Copy link

@trevorblades I've updated that thread with an explanation and temporary solution if you want to go ahead and give that a try, let me know what you find too

@heitorlessa
Copy link
Author

Following up on this as I'm not sure if there's anything I can do as a Apollo-docs theme to address this

cc @trevorblades

@heitorlessa
Copy link
Author

Switched to Yarn now and am forcing certain versions in downstream dependencies, as they cropped up to 5 vulnerabilities since this report.

...
    "dependencies": {
        "@aws-amplify/analytics": "^3.3.6",
        "antd": "^4.7.0",
        "aws-amplify": "^3.3.3",
        "gatsby": "^2.24.77",
        "gatsby-plugin-antd": "^2.2.0",
        "gatsby-plugin-catch-links": "^2.3.15",
        "gatsby-plugin-sitemap": "^2.4.16",
        "gatsby-remark-autolink-headers": "^2.3.15",
        "gatsby-theme-apollo-docs": "^4.5.3",
        "react": "^16.13.1",
        "react-dom": "^16.13.1"
    },
    "resolutions": {
        "graphql": "^14.7.0", <-- latest gatsby and amplify conflict
	 "bl": "^4.0.3",  <-- apollo theme docs downstream high vuln.
	 "semver": "^7.3.2",   <-- same as above
	 "node-fetch": "^2.6.1"   <-- same as above but medium vuln.
    },
...

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants