Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue: please update Acorn #9643

Closed
Pomax opened this issue Mar 6, 2020 · 11 comments
Closed

Security issue: please update Acorn #9643

Pomax opened this issue Mar 6, 2020 · 11 comments

Comments

@Pomax
Copy link

Pomax commented Mar 6, 2020

                       === npm audit security report ===                        

                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    
                                                                                
  Path            jest > @jest/core > @jest/reporters > jest-runtime >          
                  jest-config > jest-environment-jsdom > jsdom > acorn-globals  
                  > acorn                                                       
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    

  Path            jest > jest-cli > @jest/core > @jest/reporters >              
                  jest-runtime > jest-config > jest-environment-jsdom > jsdom   
                  > acorn-globals > acorn                                       
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    
                                                                                
  Path            jest > @jest/core > jest-runner > jest-jasmine2 >             
                  jest-runtime > jest-config > jest-environment-jsdom > jsdom   
                  > acorn-globals > acorn                                       
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    
                                                                                
  Path            jest > jest-cli > @jest/core > jest-runner > jest-jasmine2 >  
                  jest-runtime > jest-config > jest-environment-jsdom > jsdom   
                  > acorn-globals > acorn                                       
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
  Package         acorn                                                         
  Patched in      >=7.1.1                                                       
  Dependency of   jest [dev]                                                    
                                                                                
  Path            jest > @jest/core > jest-runner > jest-runtime > jest-config  
                  > jest-environment-jsdom > jsdom > acorn-globals > acorn      
                                                                                
  More info       https://npmjs.com/advisories/1488                             
                                                                                
  [...snip...]
@hjr3
Copy link

hjr3 commented Mar 7, 2020

I believe the root issue is with acorn-globals, which is has an acorn v6 dependency in the package.json.

The latest jsdom package.json depends on acorn-globals v4.3.4 which is the latest release. The overall jest ecosystem depends on jsdom, so it gets dragged into this mess.

@juergenzimmermann
Copy link

juergenzimmermann commented Mar 7, 2020

When the dependency of jsdom is upgraded from ^15.1.1 to ^16.2.0 (see https://github.com/facebook/jest/blob/master/packages/jest-environment-jsdom/package.json#L18) then the indirect dependency of acorn will be ^7.1.0 (instead of ^6.1.1). Finally 7.1.1 has the security fix.

@tunnckoCore
Copy link

tunnckoCore commented Mar 7, 2020

For anyone having this:

yarn add ForbesLindesay/acorn-globals#greenkeeper/acorn-7.1.1
# or if in monorepo setup
yarn add -W ForbesLindesay/acorn-globals#greenkeeper/acorn-7.1.1

# or npm
npm i ForbesLindesay/acorn-globals#greenkeeper/acorn-7.1.1

Until ForbesLindesay/acorn-globals#50 or ForbesLindesay/acorn-globals#56 (@EmmaGoodliffe's) get merged.

tunnckoCore added a commit to helapkg/hela that referenced this issue Mar 7, 2020
@tunnckoCore
Copy link

FWIW acorn-globals@6.0.0 is published.

@railsstudent
Copy link

jsdom 16.2.1 is released and acorn is upgraded to 7.1.1
https://github.com/jsdom/jsdom/blob/master/package.json#L24

Thanks

@pratiksawant10
Copy link

@railsstudent Can you please help me with the steps to fix this issue?

@SimenB
Copy link
Member

SimenB commented Mar 10, 2020

Upgrading JSDOM is a breaking change, so it won't be done until the next major. You can use jest-environment-jsdom-sixteen if you want to use a version of JSDOM without the "vulnerability", but npm will still complain as Jest itself depends on jsdom@15 and will for the duration of jest@25.

This is yet another case of npm complaining about regex dos attacks against a dev dependency, so 0% chance of it being exploited 🤷‍♂

@SimenB
Copy link
Member

SimenB commented Mar 10, 2020

That said, I'm not getting this warning?

$ docker run -it node:13-alpine sh -c 'mkdir dir; cd dir; npm init -y; npm i -D jest; npm audit'
Wrote to /dir/package.json:

{
  "name": "dir",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.2 (node_modules/jest-haste-map/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN dir@1.0.0 No description
npm WARN dir@1.0.0 No repository field.

+ jest@25.1.0
added 486 packages from 285 contributors and audited 1203821 packages in 23.344s

23 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities


                       === npm audit security report ===

found 0 vulnerabilities
 in 1203821 scanned packages

@RiZKiT
Copy link

RiZKiT commented Mar 10, 2020

@SimenB Together with the "kind-of" dependency vulnerability mentioned in #9648 (which is closed as duplicate), it looks a bit different in our project:
found 39465 vulnerabilities (39451 low, 14 moderate) in 1223109 scanned packages

Where almost all results are coming from jest. Two days ago it were 0 vulnerabilities.

@hjr3
Copy link

hjr3 commented Mar 10, 2020

The fix was backported to acorn 6.4.1 here. At the time of this writing, new installs should not have any reported vulns.

If you have an existing install, make sure you are using the latest version of jest 25.1.0. You can run npm audit fix or whatever the yarn equivalent is.

I believe this issue should now be closed.

@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

9 participants