Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High severity vulnerabilities #3285

Closed
alexkuc opened this issue Jan 5, 2021 · 15 comments
Closed

High severity vulnerabilities #3285

alexkuc opened this issue Jan 5, 2021 · 15 comments
Labels
dependencies type:bug version:3.2.x

Comments

@alexkuc
Copy link
Contributor

alexkuc commented Jan 5, 2021

Cloning repository via npm mentions the following:

found 2 high severity vulnerabilities

Running npm audit reveals the following:


                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > localtunnel > axios                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bundlewatch [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ bundlewatch > axios                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 high severity vulnerabilities in 1425 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

I know that browsersync is used only for development and is not part of dist files. What about bundlewatch? Is it used inside dist files or not?

Reading description of bundlewatch leads me to believe it is used as a dev tool and as such, is not part of the dist files but I'd like to double check to be sure.
@danny007in
Copy link
Collaborator

Probably it might be issue with dependabot,
Need manual bump of npm dependency

@REJack
Copy link
Collaborator

REJack commented Jan 6, 2021

There is no problem with dependabot, but the bundlewatch package has no new update to fix this. There is literally no fix this right now.

@alexkuc
Copy link
Contributor Author

alexkuc commented Jan 6, 2021

I'll leave these links here as they directly address the affected dependencies:

@danny007in
Copy link
Collaborator

Fixed in 51f243e

@REJack REJack reopened this Jan 11, 2021
@REJack REJack closed this as completed Jan 11, 2021
@REJack REJack reopened this Jan 11, 2021
@REJack
Copy link
Collaborator

REJack commented Jan 11, 2021

No only one of the two is fixed.

@REJack
Copy link
Collaborator

REJack commented Jan 19, 2021

@XhmikosR Should we wait for bundlewatch updates the package or can I release AdminLTE v3.1.0?

@XhmikosR
Copy link
Contributor

Bundlewatch is a devDependency so I'd say it shouldn't block you. The rest of the plugins issues is what I"m personally worried about...

@XhmikosR
Copy link
Contributor

Ah, wait, this issue is about the devDependency vulnerabilities. I wouldn't wait because there's no sign this could be fixed soon. Let alone I doubt this issue affects AdminLTE.

At some point, if https://github.com/jackyef/bundlewatch-gh-action matures, I personally plan to move to this. Right now, it has some issues, although it works. I have a WIP upstream branch, but I'm waiting for a new version.

@danny007in
Copy link
Collaborator

@alexkuc its common in every node projects,
also it never ending story,
i mean this kind of issues.
Because after fixing this issue,
again new issue like this will come,
check https://stackoverflow.com/questions/50243901/found-4-vulnerabilities-on-npm-install

@alexkuc
Copy link
Contributor Author

alexkuc commented Jan 22, 2021

@danny007in @REJack

I am not sure if closing this issue is the right way to go. After all, bugs happen in software all the time and it's not a reason not to fix them.

Also, it is somewhat unappealing when you install a 3rd party dependency, get a massive red warning "Security vulnerability found", open the issue tracker for the software and find the issue closed because "this happens all the time".

It's my opinion, I could be wrong but other popular JS packages generally do not close security-related issues because they happen all the time.

Also, in the SO link you gave, the accepted answer shows a GH issue (karma-runner/karma#2994) where the vulnerability was in fact fixed.

@XhmikosR XhmikosR reopened this Jan 22, 2021
@XhmikosR
Copy link
Contributor

This a pretty serious issue. Many of the plugins have security issues and this is unrelated to the npm vulnerabilities.

@REJack
Copy link
Collaborator

REJack commented Jan 27, 2021

Now this is fixed 😄 bundlewatch is updated 0.3.1.

@REJack
Copy link
Collaborator

REJack commented Jan 27, 2021

@XhmikosR I'm thinking about to remove the plugins folder and use CDN's with AdminLTE v4.0.0, this sould help 🤣.

@XhmikosR
Copy link
Contributor

Totally unrelated, though. The plugins do have potential security issues. The idea isn't to hide this fact, but instead report them upstream and get them fixed.

@REJack
Copy link
Collaborator

REJack commented Jan 27, 2021

Ok I will remove/replace about ~80% of the plugins with the change to remove jQuery from AdminLTE, then we need to check it again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies type:bug version:3.2.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@XhmikosR @REJack @alexkuc @danny007in