Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update dependencies (CI is failing #1038

Open
wants to merge 2 commits into
base: dev
Choose a base branch
from

Conversation

anonym-HPI
Copy link
Contributor

PR Checklist

Please make sure to fulfil the following conditions before marking this PR ready for review:

  • If this PR adds or changes features or fixes bugs, this has been added to the changelog
  • If this PR adds new actions or other ways to alter the state, test scenarios have been added

It seems that packages, like nyc are out of date and e.g. don't have the newest semver as dependency, which itself has a DDOS vurnerability.
We may need to find other packages for the same job.

Packages I found so far seem to be:

  • nyc
  • mkirp
  • ...

@Dassderdie @ClFeSc Can someone of you both help to fix this? E.g. mkdirp was introduced by you @ClFeSc for the npm run merge-coverage command.
I tried using npm audit fix --force or even installing packages manually, but as we are using packages that don't have a newer version, but seem to be dependent on a vurnerable semver version or so we probably need to use new packages or need to manually edit the dependencies of these packages and hope that nothing breaks.
It seems some packages are also dependent on an older version of semver (version 6), there seems to be @nicolo-ribaudo/semver-v6 used, which should include it.
I am not that into the whole npm package system.

This is for example the error output in the root folder:


# npm audit report

semver  <7.5.2    
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/semver
  istanbul-lib-instrument  >=1.2.0
  Depends on vulnerable versions of semver
  node_modules/istanbul-lib-instrument
    nyc  >=7.0.0-alpha.1
    Depends on vulnerable versions of caching-transform
    Depends on vulnerable versions of find-cache-dir
    Depends on vulnerable versions of istanbul-lib-instrument
    Depends on vulnerable versions of istanbul-lib-report
    Depends on vulnerable versions of istanbul-reports
    Depends on vulnerable versions of make-dir
    Depends on vulnerable versions of spawn-wrap
    node_modules/nyc
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/make-dir
    caching-transform  >=3.0.2
    Depends on vulnerable versions of make-dir
    node_modules/caching-transform
    find-cache-dir  2.1.0 - 3.3.2
    Depends on vulnerable versions of make-dir
    node_modules/find-cache-dir
    istanbul-lib-report  >=2.0.5
    Depends on vulnerable versions of make-dir
    node_modules/istanbul-lib-report
      istanbul-reports  >=3.0.0-alpha.0
      Depends on vulnerable versions of istanbul-lib-report
      node_modules/istanbul-reports
    spawn-wrap  >=2.0.0-beta.0
    Depends on vulnerable versions of make-dir
    node_modules/spawn-wrap

9 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force


@anonym-HPI anonym-HPI linked an issue Jul 10, 2023 that may be closed by this pull request
@Dassderdie
Copy link
Collaborator

I think all of the vulnerabilities are false positives. If a package that we use for e.g. linting or testing imports a package that has a DOS vulnerability we could only DOS ourselves (or make the CI take longer). In addition, it is enough to import a package that has this vulnerability. The affected function in this package doesn't even have to be used anywhere.

I believe this is a fix for it (backport to semver 6) npm/node-semver#593

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

update packages (dependency CI fails)
2 participants