npm audit - moderate vulnerabilities in deep json-schema dependency #434

perry-mitchell · 2021-11-22T09:45:04Z

Getting a handful of vulnerability warnings with this package when running npm audit on the latest version:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > node-gyp > request >           │
│               │ http-signature > jsprim > json-schema                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > @npmcli/run-script > node-gyp  │
│               │ > request > http-signature > jsprim > json-schema            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > pacote > @npmcli/run-script >  │
│               │ node-gyp > request > http-signature > jsprim > json-schema   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > @npmcli/arborist > pacote >    │
│               │ @npmcli/run-script > node-gyp > request > http-signature >   │
│               │ jsprim > json-schema                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > @npmcli/arborist >             │
│               │ @npmcli/metavuln-calculator > pacote > @npmcli/run-script >  │
│               │ node-gyp > request > http-signature > jsprim > json-schema   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ json-schema is vulnerable to Prototype Pollution             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ json-schema                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @semantic-release/npm [dev]                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @semantic-release/npm > npm > libnpmexec > @npmcli/arborist  │
│               │ > @npmcli/metavuln-calculator > pacote > @npmcli/run-script  │
│               │ > node-gyp > request > http-signature > jsprim > json-schema │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-896r-f27r-55mw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

With no clear way to fix this.

The text was updated successfully, but these errors were encountered:

closes semantic-release#434 relates semantic-release#270

antongolub · 2021-12-22T20:46:21Z

cc @travi , @gr2m

Suggestion: remove npm dependency. I still believe that the plugin always invokes global npm, so this dependency is completely useless.

Have a look:

npm/lib/publish.js

Line 23 in 708c29b

const result = execa(

npm is called via execa. It is just a wrapper for child_process.exec by default. cp uses $PATH to find util ref, and it knows absolutely nothing about node_modules/.bin/npm.

git clone ... && npm i
npm -v
6.14.13

node -e "console.log(require('execa').sync('npm', ['-v']).stdout)"
6.14.13

node -e "console.log(require('./node_modules/npm/package.json').version)"
7.24.2

if we want execa to call the plugins's own npm version, we should pass preferlocal option.

node -e "console.log(require('execa').sync('npm', ['-v'], {preferLocal: true}).stdout)"
7.24.2

gr2m · 2021-12-23T05:23:20Z

We had this discussion before, I think more than once. I don't have the time to dig it out.

It would be good if we could document the reasoning so that the same discussion doesn't pop up again

antongolub · 2021-12-23T05:43:19Z

@gr2m, @travi,

from [email protected], preferLocal is set to false by default. The plugin uses ^5.0.0 now.

I have some time to dig )
#177, 2 Jul 2019, execa 1.0.0 → 2.0.2

https://github.com/sindresorhus/execa/releases/tag/v2.0.0
sindresorhus/execa#314
sindresorhus/execa@eb22ff7

kf6kjg · 2023-02-07T18:56:33Z

They've gone from moderate to high. The following is after a fresh checkout of master.

$ npm ci
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: https://about.codecov.io/blog/codecov-uploader-deprecation-plan/
npm WARN deprecated [email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

added 1169 packages, and audited 1380 packages in 41s

215 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (5 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

$ npm outdated
Package          Current  Wanted  Latest  Location                      Depended by
aggregate-error    3.1.0   3.1.0   4.0.1  node_modules/aggregate-error  npm
ava                5.1.0   5.1.0   5.2.0  node_modules/ava              npm
execa              5.1.1   5.1.1   6.1.0  node_modules/execa            npm
got               11.8.6  11.8.6  12.5.3  node_modules/got              npm
normalize-url      6.1.0   6.1.0   8.0.0  node_modules/normalize-url    npm
npm               8.19.3  8.19.3   9.4.1  node_modules/npm              npm
p-retry            4.6.2   4.6.2   5.1.2  node_modules/p-retry          npm
read-pkg           5.2.0   5.2.0   7.1.0  node_modules/read-pkg         npm
tempy              1.0.1   1.0.1   3.0.0  node_modules/tempy            npm
xo                0.36.1  0.36.1  0.53.1  node_modules/xo               npm

$ npm audit
# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xo/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/xo/node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/xo/node_modules/globby
      xo  0.4.0 - 0.41.0
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of update-notifier
      node_modules/xo

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

http-cache-semantics  <4.1.1
Severity: moderate
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/npm/node_modules/http-cache-semantics

9 vulnerabilities (5 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

antongolub added a commit to antongolub-forks/semantic-release-npm that referenced this issue Dec 22, 2021

fix: drop useless npm dependency

f43c57d

closes semantic-release#434 relates semantic-release#270

antongolub linked a pull request Dec 22, 2021 that will close this issue

fix: drop npm dependency #444

Open

antongolub mentioned this issue Dec 23, 2021

fix: add preferLocal option to allow execa to use local npm version #445

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

npm audit - moderate vulnerabilities in deep json-schema dependency #434

npm audit - moderate vulnerabilities in deep json-schema dependency #434

perry-mitchell commented Nov 22, 2021

antongolub commented Dec 22, 2021 •

edited

Loading

gr2m commented Dec 23, 2021

antongolub commented Dec 23, 2021 •

edited

Loading

kf6kjg commented Feb 7, 2023

npm audit - moderate vulnerabilities in deep json-schema dependency #434

npm audit - moderate vulnerabilities in deep json-schema dependency #434

Comments

perry-mitchell commented Nov 22, 2021

antongolub commented Dec 22, 2021 • edited Loading

gr2m commented Dec 23, 2021

antongolub commented Dec 23, 2021 • edited Loading

kf6kjg commented Feb 7, 2023

antongolub commented Dec 22, 2021 •

edited

Loading

antongolub commented Dec 23, 2021 •

edited

Loading