Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependencies #629

Open
7 tasks
m5r opened this issue Jul 24, 2024 · 0 comments
Open
7 tasks

Update dependencies #629

m5r opened this issue Jul 24, 2024 · 0 comments
Labels
Type: Technical issue Improve something that users won't notice

Comments

@m5r
Copy link
Contributor

m5r commented Jul 24, 2024

Describe the issue

Follow-up from #621

npm audit reports 6 vulnerabilities (5 moderate, 1 critical) that we can't address yet:

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install request-promise-native@0.0.0, which is a breaking change
node_modules/request
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    Depends on vulnerable versions of tough-cookie
    node_modules/request-promise-native

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install request-promise-native@0.0.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie

xmldom  *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
fix available via `npm audit fix --force`
Will install dom-compare@0.1.1, which is a breaking change
node_modules/xmldom
  dom-compare  >=0.2.0
  Depends on vulnerable versions of xmldom
  node_modules/dom-compare

6 vulnerabilities (5 moderate, 1 critical)

Describe the improvement you'd like

To summarize the above logs, we need to:

  • replace request and request-promise-native with a more modern alternative because they're both deprecated. Most alternatives proposed are either ESM-only, unstable, or not production ready
  • replace dom-compare. It's not longer maintained and uses a vulnerable version of xmldom. We could fork it and use the more recent version of xmldom, inline the dom comparison logic in cht-conf, or find a maintained alternative. TBD.

Dependencies that cannot be updated until we migrate to ESM:

  • chai
  • chai-as-promised
  • chai-exclude
  • open

Dependencies that need a higher version of Node.js:

  • semantic-release

PouchDB-related dependencies should probably be updated along with cht-core's.

Additionally, xpath has a new minor version available but no changelog is provided.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Type: Technical issue Improve something that users won't notice
Projects
Status: Todo
Development

No branches or pull requests

1 participant