Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jest-resolve transitively pulls in a moderate npm audit issue #11379

Closed
glasser opened this issue May 6, 2021 · 4 comments
Closed

jest-resolve transitively pulls in a moderate npm audit issue #11379

glasser opened this issue May 6, 2021 · 4 comments

Comments

@glasser
Copy link

glasser commented May 6, 2021

An npm advisory in hosted-git-info was posted this morning. This leads npm audit to report moderate severity vulnerabilities in the current version of jest, 26.6.5 (and it can only suggest rolling back to [email protected], which does not actually help). Specifically, this comes from jest's use of read-pkg-up.

My guess is it's not super likely that this presents a serious security threat in the jest context, but it's nice to keep one's tree free of audit issues when feasible.

Reproduction:

glasser@dsg-mbp 0 10:55:47 /tmp $ mkdir jest-audit
glasser@dsg-mbp 0 10:55:48 /tmp $ cd jest-audit
glasser@dsg-mbp 0 10:55:50 /tmp/jest-audit $ npm i [email protected]
npm WARN deprecated [email protected]: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

added 537 packages, and audited 537 packages in 12s

24 packages are looking for funding
  run `npm fund` for details

16 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
glasser@dsg-mbp 0 10:56:18 /tmp/jest-audit $ npm audit
# npm audit report

hosted-git-info  <3.0.8
Severity: moderate
Regular Expression Deinal of Service - https://npmjs.com/advisories/1677
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/hosted-git-info
  normalize-package-data  2.0.0 - 2.5.0
  Depends on vulnerable versions of hosted-git-info
  node_modules/normalize-package-data
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/read-pkg
      read-pkg-up  <=7.0.1
      Depends on vulnerable versions of read-pkg
      node_modules/read-pkg-up
        jest-resolve  25.4.0 - 26.4.0 || 26.5.2 - 26.6.2
        Depends on vulnerable versions of read-pkg-up
        node_modules/jest-resolve
          @jest/core  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/@jest/core
            jest  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of @jest/core
            node_modules/jest
          @jest/reporters  25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
          Depends on vulnerable versions of jest-resolve
          node_modules/@jest/reporters
          jest-config  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-config
            jest-cli  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-config
            node_modules/jest-cli
          jest-runner  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-runner
          jest-runtime  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-runtime
            @jest/test-sequencer  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runtime
            node_modules/@jest/test-sequencer
            jest-jasmine2  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runtime
            node_modules/jest-jasmine2
          jest-snapshot  25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-snapshot
            jest-resolve-dependencies  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-resolve-dependencies

16 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
@SimenB
Copy link
Member

SimenB commented May 6, 2021

We have migrated from read-pkg-up to escalade in Jest 27, so this is not a problem on master (#10781) - you can install jest@next if you want. Not sure when a stable release is coming (I've made some broken half-promises before, so I won't do that again 🙂), but hopefully soon-ish

@jansepke
Copy link

jansepke commented May 7, 2021

@SimenB would it be an option to backport commit aec8573 to version 26 ? Would be better then using a beta version to fix a security finding. Or is soon-ish in the next 1-2 weeks? 😉

@SimenB
Copy link
Member

SimenB commented May 7, 2021

No, we landed it in v26 first, but had to revert it as was a breaking change (due to bugs later fixed, but I'm hesitant to try again, and the overhead of making releases is not negligible, and false positives from tooling is not high on my list of priorities).

Or is soon-ish in the next 1-2 weeks?

I hope so! You can see the milestone. I think I'll push most of those for 28 just to get 27 out though, except for #11263, #10577 and #11167 (PRs for the latter ones welcome 👍). So 1-2 weeks? Possibly

@github-actions
Copy link

github-actions bot commented Jun 7, 2021

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants