Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

install(packages): overcome CVEs #89

Closed
wants to merge 3 commits into from

Conversation

bryanpaget
Copy link

Manually installed the four packages according to the versions on the CVE site. Then I ran npm audit fix, then make build-local, then npm run dev.

Bryan Paget added 3 commits July 21, 2022 19:50
Manually installed the four packages according to the versions on the CVE site. Then I ran rpm audit fix, then make build-local, then npm run dev.

Packages affected:

eventsource  <1.1.1
Severity: critical
Exposure of Sensitive Information in eventsource - GHSA-6h5x-7c5m-7cr7
fix available via
up to date, audited 1756 packages in 6s

58 packages are looking for funding
  run `npm fund` for details

# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install istanbul-instrumenter-loader@2.0.0, which is a breaking change
node_modules/istanbul-instrumenter-loader/node_modules/ajv
  schema-utils  <=0.4.3
  Depends on vulnerable versions of ajv
  node_modules/istanbul-instrumenter-loader/node_modules/schema-utils
    istanbul-instrumenter-loader  >=3.0.0-beta.0
    Depends on vulnerable versions of schema-utils
    node_modules/istanbul-instrumenter-loader

glob-parent  <=5.1.1
Severity: high
Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install copy-webpack-plugin@11.0.0, which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin

json-bigint  <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - GHSA-wgfq-7857-4jcc
fix available via `npm audit fix --force`
Will install google-auth-library@8.1.1, which is a breaking change
node_modules/gcp-metadata/node_modules/json-bigint
  gcp-metadata  0.8.0 - 4.1.0
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/google-auth-library

karma  <=6.3.15
Severity: high
Open redirect in karma - GHSA-rc3x-jf5g-xvc5
Cross-site Scripting in karma - GHSA-7x7c-qm48-pq9c
Depends on vulnerable versions of ua-parser-js
fix available via `npm audit fix --force`
Will install karma@6.4.0, which is a breaking change
node_modules/karma

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765
fix available via `npm audit fix --force`
Will install webpack-dev-server@4.9.3, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.1.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

pug  <3.0.1
Severity: high
Remote code execution via the `pretty` option. - GHSA-p493-635q-r6gr
fix available via `npm audit fix --force`
Will install pug@3.0.2, which is a breaking change
node_modules/pug
  pug-loader  >=2.0.0
  Depends on vulnerable versions of pug
  node_modules/pug-loader

ua-parser-js  <=0.7.23
Severity: high
Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-394c-5j6w-4xmx
Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-78cj-fxph-m83p
fix available via `npm audit fix --force`
Will install karma@6.4.0, which is a breaking change
node_modules/ua-parser-js

21 vulnerabilities (12 moderate, 9 high)

To address all issues (including breaking changes), run:
  npm audit fix --force
node_modules/eventsource

---

xmlhttprequest-ssl  <=1.6.1
Severity: critical
Improper Certificate Validation in xmlhttprequest-ssl - GHSA-72mh-269x-7mh5
Arbitrary Code Injection - GHSA-h4j5-c7cj-74xg
fix available via
up to date, audited 1756 packages in 4s

58 packages are looking for funding
  run `npm fund` for details

# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install istanbul-instrumenter-loader@2.0.0, which is a breaking change
node_modules/istanbul-instrumenter-loader/node_modules/ajv
  schema-utils  <=0.4.3
  Depends on vulnerable versions of ajv
  node_modules/istanbul-instrumenter-loader/node_modules/schema-utils
    istanbul-instrumenter-loader  >=3.0.0-beta.0
    Depends on vulnerable versions of schema-utils
    node_modules/istanbul-instrumenter-loader

glob-parent  <=5.1.1
Severity: high
Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install copy-webpack-plugin@11.0.0, which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin

json-bigint  <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - GHSA-wgfq-7857-4jcc
fix available via `npm audit fix --force`
Will install google-auth-library@8.1.1, which is a breaking change
node_modules/gcp-metadata/node_modules/json-bigint
  gcp-metadata  0.8.0 - 4.1.0
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/google-auth-library

karma  <=6.3.15
Severity: high
Open redirect in karma - GHSA-rc3x-jf5g-xvc5
Cross-site Scripting in karma - GHSA-7x7c-qm48-pq9c
Depends on vulnerable versions of ua-parser-js
fix available via `npm audit fix --force`
Will install karma@6.4.0, which is a breaking change
node_modules/karma

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765
fix available via `npm audit fix --force`
Will install webpack-dev-server@4.9.3, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.1.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

pug  <3.0.1
Severity: high
Remote code execution via the `pretty` option. - GHSA-p493-635q-r6gr
fix available via `npm audit fix --force`
Will install pug@3.0.2, which is a breaking change
node_modules/pug
  pug-loader  >=2.0.0
  Depends on vulnerable versions of pug
  node_modules/pug-loader

ua-parser-js  <=0.7.23
Severity: high
Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-394c-5j6w-4xmx
Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-78cj-fxph-m83p
fix available via `npm audit fix --force`
Will install karma@6.4.0, which is a breaking change
node_modules/ua-parser-js

21 vulnerabilities (12 moderate, 9 high)

To address all issues (including breaking changes), run:
  npm audit fix --force
node_modules/xmlhttprequest-ssl

---

url-parse  <=1.5.8
Severity: critical
Incorrect hostname / protocol due to unstripped leading control characters. - GHSA-jf5r-8hm2-f872
Authorization Bypass Through User-Controlled Key in url-parse - GHSA-hgjh-723h-mx2j
Authorization bypass in url-parse - GHSA-rqff-837h-mm52
Open redirect in url-parse - GHSA-hh27-ffr2-f2jc
Incorrect returned href via an '@' sign but no user info and hostname - GHSA-8v38-pw62-9cw2
Path traversal in url-parse - GHSA-9m6j-fcg5-2442
fix available via
up to date, audited 1756 packages in 5s

58 packages are looking for funding
  run `npm fund` for details

# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install istanbul-instrumenter-loader@2.0.0, which is a breaking change
node_modules/istanbul-instrumenter-loader/node_modules/ajv
  schema-utils  <=0.4.3
  Depends on vulnerable versions of ajv
  node_modules/istanbul-instrumenter-loader/node_modules/schema-utils
    istanbul-instrumenter-loader  >=3.0.0-beta.0
    Depends on vulnerable versions of schema-utils
    node_modules/istanbul-instrumenter-loader

glob-parent  <=5.1.1
Severity: high
Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install copy-webpack-plugin@11.0.0, which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin

json-bigint  <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - GHSA-wgfq-7857-4jcc
fix available via `npm audit fix --force`
Will install google-auth-library@8.1.1, which is a breaking change
node_modules/gcp-metadata/node_modules/json-bigint
  gcp-metadata  0.8.0 - 4.1.0
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/google-auth-library

karma  <=6.3.15
Severity: high
Open redirect in karma - GHSA-rc3x-jf5g-xvc5
Cross-site Scripting in karma - GHSA-7x7c-qm48-pq9c
Depends on vulnerable versions of ua-parser-js
fix available via `npm audit fix --force`
Will install karma@6.4.0, which is a breaking change
node_modules/karma

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765
fix available via `npm audit fix --force`
Will install webpack-dev-server@4.9.3, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.1.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

pug  <3.0.1
Severity: high
Remote code execution via the `pretty` option. - GHSA-p493-635q-r6gr
fix available via `npm audit fix --force`
Will install pug@3.0.2, which is a breaking change
node_modules/pug
  pug-loader  >=2.0.0
  Depends on vulnerable versions of pug
  node_modules/pug-loader

ua-parser-js  <=0.7.23
Severity: high
Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-394c-5j6w-4xmx
Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-78cj-fxph-m83p
fix available via `npm audit fix --force`
Will install karma@6.4.0, which is a breaking change
node_modules/ua-parser-js

21 vulnerabilities (12 moderate, 9 high)

To address all issues (including breaking changes), run:
  npm audit fix --force
node_modules/url-parse

---

minimist  <1.2.6
Severity: critical
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
fix available via
up to date, audited 1756 packages in 4s

58 packages are looking for funding
  run `npm fund` for details

# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install istanbul-instrumenter-loader@2.0.0, which is a breaking change
node_modules/istanbul-instrumenter-loader/node_modules/ajv
  schema-utils  <=0.4.3
  Depends on vulnerable versions of ajv
  node_modules/istanbul-instrumenter-loader/node_modules/schema-utils
    istanbul-instrumenter-loader  >=3.0.0-beta.0
    Depends on vulnerable versions of schema-utils
    node_modules/istanbul-instrumenter-loader

glob-parent  <=5.1.1
Severity: high
Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install copy-webpack-plugin@11.0.0, which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin

json-bigint  <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - GHSA-wgfq-7857-4jcc
fix available via `npm audit fix --force`
Will install google-auth-library@8.1.1, which is a breaking change
node_modules/gcp-metadata/node_modules/json-bigint
  gcp-metadata  0.8.0 - 4.1.0
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/google-auth-library

karma  <=6.3.15
Severity: high
Open redirect in karma - GHSA-rc3x-jf5g-xvc5
Cross-site Scripting in karma - GHSA-7x7c-qm48-pq9c
Depends on vulnerable versions of ua-parser-js
fix available via `npm audit fix --force`
Will install karma@6.4.0, which is a breaking change
node_modules/karma

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765
fix available via `npm audit fix --force`
Will install webpack-dev-server@4.9.3, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.1.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

pug  <3.0.1
Severity: high
Remote code execution via the `pretty` option. - GHSA-p493-635q-r6gr
fix available via `npm audit fix --force`
Will install pug@3.0.2, which is a breaking change
node_modules/pug
  pug-loader  >=2.0.0
  Depends on vulnerable versions of pug
  node_modules/pug-loader

ua-parser-js  <=0.7.23
Severity: high
Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-394c-5j6w-4xmx
Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-78cj-fxph-m83p
fix available via `npm audit fix --force`
Will install karma@6.4.0, which is a breaking change
node_modules/ua-parser-js

21 vulnerabilities (12 moderate, 9 high)

To address all issues (including breaking changes), run:
  npm audit fix --force
node_modules/@babel/core/node_modules/minimist
node_modules/babel-loader/node_modules/minimist
node_modules/minimist
node_modules/portfinder/node_modules/minimist
node_modules/webpack/node_modules/minimist
@bryanpaget bryanpaget linked an issue Jul 21, 2022 that may be closed by this pull request
7 tasks
@bryanpaget bryanpaget added the size/S ~1 day label Jul 21, 2022
@bryanpaget bryanpaget self-assigned this Jul 21, 2022
@bryanpaget bryanpaget requested a review from wg102 July 21, 2022 20:15
@wg102
Copy link

wg102 commented Jul 22, 2022

Duplicate

@wg102 wg102 closed this Jul 22, 2022
@bryanpaget bryanpaget deleted the bryan-patch-2022-07-21 branch September 20, 2022 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
size/S ~1 day
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Upgrade 1.4: Kubeflow
2 participants