[wordpress/scripts] 5 high severity vulnerabilities

[kjroelke]

Description

Installing @wordpress/scripts package throws vulnerability errors with npm.

Terminal responds with “5 high severity issues” that appear to stemming from ws, puppeteer-core, and lighthouse.

What I’ve tried:

• Running npm audit fix --force downgrades @wordpress/scripts to v19.2.4, unsurprisingly causing 47 other vulnerabilities.
• Using the overrides param in package.json fixes the issue.

"overrides": {
  "ws": "^8.18.0",
  "lighthouse": "^12.1.0",
  "puppeteer-core": "^22.13.1"
}

---

Step-by-step reproduction instructions

1. run npm install @wordpress/scripts or go through npx @wordpress/create-block
2. run npm audit

Screenshots, screen recording, code snippet

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/lighthouse/node_modules/puppeteer-core/node_modules/ws
node_modules/puppeteer-core/node_modules/ws
  puppeteer-core  11.0.0 - 22.11.1
  Depends on vulnerable versions of ws
  node_modules/lighthouse/node_modules/puppeteer-core
  node_modules/puppeteer-core
    @wordpress/scripts  >=20.0.0
    Depends on vulnerable versions of @wordpress/e2e-test-utils-playwright
    Depends on vulnerable versions of puppeteer-core
    node_modules/@wordpress/scripts
    lighthouse  9.6.1 - 11.5.0
    Depends on vulnerable versions of puppeteer-core
    node_modules/lighthouse
      @wordpress/e2e-test-utils-playwright  >=0.9.1-next.5a1d1283.0
      Depends on vulnerable versions of lighthouse
      node_modules/@wordpress/e2e-test-utils-playwright

Environment info

Unsure if this bit matters, but for what's worth:

• Tested on 2 MacBook Pros with macOS 14.5 (Sonoma) with (respectively) i9 and M1 architecture
• Node versions ^20 and ^22
• npm versions 10.7 & ^10.8.0

Please confirm that you have searched existing issues in the repo.

• Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

• Yes

[rohjay]

Thanks for raising this, @kjroelke 👍

[leup]

Thanks @kjroelke ! Any news on this for a fix ?

[kjroelke]

@leup besides adding the "overrides" param in your package.json file, no.

For what it's worth, I noticed that v30.0.2 seems to fix part of this problem, but as I've worked with it, the vulnerabilities still exist, so there must be some peer dependency that still requires an insecure version of puppeteer-core.

I'm not a contributor (yet) and I have no experience with Docker or WP-CLI (yet) so I can't open a PR (yet 😂) and I'm hoping to level up my skills to begin to contribute! Or at least get things started. I am also inexperienced with mono-repo architecture and I just had my first child, so it may be a while for me before I can really begin to contribute with anything besides Issues and comments 😅

[hueitan]

It shows slightly different in my case, it will down grade to @wordpress/[email protected] if I run the npm audit fix --force which is the version 1 that doesn't make sense to me

cross-spawn  <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix --force`
Will install @wordpress/[email protected], which is a breaking change
node_modules/cross-spawn
  @wordpress/scripts  >=1.0.1-0
  Depends on vulnerable versions of cross-spawn
  node_modules/@wordpress/scripts

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/lighthouse/node_modules/puppeteer-core/node_modules/ws
  puppeteer-core  11.0.0 - 22.11.1
  Depends on vulnerable versions of ws
  node_modules/lighthouse/node_modules/puppeteer-core

[kjroelke]

@hueitan the overrides parameter still fixes this issue, and I don't know if what you're working on is compatible with the latest version of the vulnerable dependencies.

Here's my latest overrides object in package.json for "@wordpress/scripts": "^30.6.0":

"overrides": {
  "cookie": "^1.0.1",
  "cross-spawn": "^7.0.6",
  "puppeteer-core": "^23.9.0"
}

I see that PR #64597 attempted to fix the puppeteer-core I originally brought up, and some other package in the monorepo must still depend on a vulnerable version because npm i @wordpress/scripts still comes with a host of high severity issues (including the puppeteer-core one)