Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Warnings for 11ty Dependencies #1025

Closed
trey opened this issue Mar 20, 2020 · 12 comments
Closed

Security Warnings for 11ty Dependencies #1025

trey opened this issue Mar 20, 2020 · 12 comments
Labels
enhancement npm-audit Security audits from npm
Milestone
Eleventy v0.11.0

Comments

@trey
Copy link

trey commented Mar 20, 2020

I've been seeing "Potential security vulnerability" warnings in GitHub for my 11ty projects. They relate to the acorn and minimist dependencies.

Here's the information these warnings link to:
GHSA-7fhm-mqm4-2wp7

Would it be possible to get 11ty updated to remove these potential vulnerabilities?
@Ryuno-Ki
Copy link
Contributor

Related to #1023.

@zachleat zachleat added this to the Eleventy v0.11.0 milestone Mar 20, 2020
@zachleat
Copy link
Member

Thanks for opening this! Updated for 0.11.0.

In the future I’d love to keep these specific to the package listed in the npm audit entry so we can track individual packages updates separately.

See #1026 for an example.

@trey
Copy link
Author

trey commented Mar 20, 2020

@zachleat Ahh, cool. Will do! Thanks for letting me stumble through that and giving me feedback!

@matthewp
Copy link

I don't think this is fixed, there's still the problem with acorn and that comes from pug.

├─┬ @11ty/eleventy@0.11.0-beta.2
│ └─┬ pug@2.0.4
│   ├─┬ pug-code-gen@2.0.2
│   │ └─┬ with@5.1.1
│   │   ├── acorn@3.3.0
│   │   └─┬ acorn-globals@3.1.0
│   │     └── acorn@4.0.13
│   └─┬ pug-lexer@4.1.0
│     └─┬ is-expression@3.0.0
│       └── acorn@4.0.13

@zachleat zachleat reopened this Mar 21, 2020
@dixonge
Copy link

dixonge commented Mar 28, 2020

So how do I fix this in the meantime? Manually edit package-lock.json? Remove/regenerate it?

@trey
Copy link
Author

trey commented Mar 28, 2020

Good question.

@Ryuno-Ki
Copy link
Contributor

So … normally, you can find a security bullet at Snyk, where they describe how to mitigate those security vulnerabilities - if a patch is available / possible.
Otherwise, follow the repo of the offending package and ask the maintainer to publish a new version with the fix, so it can bubble up the dependency chain.

A third option could be to switch out the dep. Hardly possible here, I guess.

@dixonge
Copy link

dixonge commented Mar 28, 2020

So, for those of us who are not programmers ... ?

@Ryuno-Ki
Copy link
Contributor

Sit and wait.

@matthewp
Copy link

matthewp commented Mar 29, 2020
edited

If you're not using Pug then this vulnerability doesn't affect you. So if your concern is the security warning that GitHub shows you can dismiss it as not relevant to your project.

@dixonge
Copy link

dixonge commented Mar 29, 2020

I am not using Pug. It's just annoying...

@KyleMit KyleMit mentioned this issue May 4, 2020
Merged
@zachleat zachleat added the npm-audit Security audits from npm label May 10, 2020
@zachleat
Copy link
Member

Created a new npm-audit label for these types of issues. The applicable ones for this issue are resolved with the 0.11.0 release. A new one cropped up and was filed at #1164

These are likely just to be ongoing maintenance things that are part of npm and are actually a good thing! So don’t despair that these keep cropping up. If you’re using Eleventy as a static site (and not running browser-sync in production), these are unlikely to expose you to any major security issues on your website.

@Ryuno-Ki Ryuno-Ki mentioned this issue May 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement npm-audit Security audits from npm
Projects
None yet
Milestone
Eleventy v0.11.0
Development

No branches or pull requests
5 participants
@trey @zachleat @matthewp @dixonge @Ryuno-Ki