[Question]: CVE-2024-47068 still present?

[5ulas]

What is your question?

git clone https://github.com/danny-avila/LibreChat.git

git checkout v0.7.5 (or just master branch)

docker build --no-cache -t libre:v1 .

❯ trivy image libre:v1

Library               │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version      │ Title
rollup (package.json) │ CVE-2024-47068 │ HIGH     │        │ 0.0.0             │ 3.29.5, 4.22.4, 2.79.2 │ rollup: DOM Clobbering Gadget found in rollup bundled scripts that leads to... https://avd.aquasec.com/nvd/cve-2024-47068

I can see in running image that package.json rollup library is a fixed version

  "overrides": {
    "vite-plugin-pwa": {
      "rollup": "^4.22.4"
    }
  }

I don't really work with node modules, but it seems like the override affects only the vite-plugin-pwa dependency. It is still present in /app/node_modules/fetch-undici/tests/rollup/package.json

/app/node_modules/fetch-undici/tests/rollup $ cat package.json

{
  "name": "rollup",
  "version": "0.0.0",
  "description": "",
  "main": "rollup-app.js",
  "scripts": {
    "test": "tap"
  },
  "keywords": [],
  "author": "Bret Comnes <bcomnes@gmail.com> (https://bret.io/)",
  "license": "MIT",
  "type": "module",
  "dependencies": {
    "@rollup/plugin-commonjs": "^25.0.0",
    "@rollup/plugin-node-resolve": "^15.0.0",
    "fetch-undici": "../../.",
    "rollup": "^2.56.3",
    "desm": "^1.2.0",
    "jsdom": "^22.0.0",
    "p-temporary-directory": "^2.0.1",
    "tap": "^18.3.0"
  },
  "tap": {
    "serial": [],
    "typecheck": false,
    "allow-incomplete-coverage": true,
    "allow-empty-coverage": true,
    "coverage-report": [
      "text",
      "lcovonly"
    ]
  }
}

if the change doesn't break anything would it be possible to replace override with following change since then it remediates CVE warning?

  "overrides": {
    "**/rollup": "^4.22.4"
  },

More Details

What is the main subject of your question?

No response

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

It's not present, otherwise you would still see warnings in the npm terminal or our repo.

~/LibreChat$ npm ls rollup
LibreChat@v0.7.5 /home/danny/LibreChat
├─┬ @librechat/frontend@v0.7.5 -> ./client
│ ├─┬ vite-plugin-node-polyfills@0.17.0
│ │ └─┬ @rollup/plugin-inject@5.0.5
│ │   └── rollup@4.22.4 deduped
│ ├─┬ vite-plugin-pwa@0.20.5 overridden
│ │ └─┬ workbox-build@7.1.1
│ │   ├─┬ @rollup/plugin-babel@5.3.1
│ │   │ ├─┬ @rollup/pluginutils@3.1.0
│ │   │ │ └── rollup@4.22.4 deduped
│ │   │ └── rollup@4.22.4 deduped
│ │   ├─┬ @rollup/plugin-replace@2.4.2
│ │   │ ├─┬ @rollup/pluginutils@3.1.0
│ │   │ │ └── rollup@4.22.4 deduped
│ │   │ └── rollup@4.22.4 deduped
│ │   └── rollup@4.22.4 deduped
│ └─┬ vite@5.4.6
│   └── rollup@4.22.4 deduped
└─┬ librechat-data-provider@0.7.55 -> ./packages/data-provider
  ├─┬ @rollup/plugin-alias@5.1.0
  │ └── rollup@4.22.4 deduped
  ├─┬ @rollup/plugin-commonjs@25.0.7
  │ ├─┬ @rollup/pluginutils@5.1.0
  │ │ └── rollup@4.22.4 deduped
  │ └── rollup@4.22.4 deduped
  ├─┬ @rollup/plugin-json@6.1.0
  │ └── rollup@4.22.4 deduped
  ├─┬ @rollup/plugin-node-resolve@15.2.3
  │ └── rollup@4.22.4 deduped
  ├─┬ @rollup/plugin-replace@5.0.5
  │ └── rollup@4.22.4 deduped
  ├─┬ @rollup/plugin-terser@0.4.4
  │ └── rollup@4.22.4 deduped
  ├─┬ rollup-plugin-generate-package-json@3.2.0
  │ └── rollup@4.22.4 deduped
  ├─┬ rollup-plugin-peer-deps-external@2.2.4
  │ └── rollup@4.22.4 deduped
  ├─┬ rollup-plugin-typescript2@0.35.0
  │ └── rollup@4.22.4 deduped
  └── rollup@4.22.4 overridden

[5ulas]

Yea. I'm not sure how to check that exactly. Executing it at root folder of a pod where package.json resides.

npm ls rollup
LibreChat@v0.7.5 /app
`-- (empty)

I'm using image: ghcr.io/danny-avila/librechat:v0.7.5 and my cloud security software detects this CVE. Perhaps the reason might be is that I'm using environment variable NODE_ENV: test? But that still wouldn't explain trivy still detecting the CVE on a fresh repository. Could you test with trivy, please?

[danny-avila]

the reason for doing this on my end was to address the CVE you're concerned of: #4226

trivy is issuing the warning because it finds a reference to rollup 0.0.0 (which isn't even a valid version, earliest valid version is v0.3.1) in /app/node_modules/fetch-undici/tests/rollup/package.json. Further look at this file shows rollup is only used for building the test files which are likely ran as part of this library's build/publishing pipeline.

If you look through /app/node_modules/ within the docker build, rollup isn't even installed because it's only used when building the client files during image build process, that's why you get this:

npm ls rollup
LibreChat@v0.7.5 /app
`-- (empty)

1. The first approach (specifying through vite-plugin-pwa):

"overrides": {
  "vite-plugin-pwa": {
    "rollup": "^4.22.4"
  }
}

works because vite-plugin-pwa is one of the dependency paths that brings in rollup, and npm's dependency resolution will use this version as a reference point for deduping other instances.

I specifically used vite-plugin-pwa as the reference point due to peer dependency conflicts, as npm can be very finicky with package resolutions, and this is what worked. We can likely remove the override now since vite-plugin-pwa has finally patched it on their end: vite-pwa/vite-plugin-pwa#781

Trivy's vulnerability detection seems over-zealous in this case.