Dependencies security audit

[michaelrambeau]

A lot of dependencies used by @uxpin/merge-cli are either deprecated, out-of-date or considered as vulnerable.

It leads to a lot of warning messages when installing the tool on a computer.

The purpose of this issue is to take a snapshot of the situation and to track the progress of the cleanup actions.

First audit • 2023-01-20

yarn audit

287 vulnerabilities found - Packages audited: 2554
Severity: 9 Low | 27 Moderate | 189 High | 62 Critical

Only production deps:

98 vulnerabilities found - Packages audited: 952
Severity: 11 Moderate | 62 High | 25 Critical

Using Snyk.io

Running snyk test command against 2.11.0:

Tested 741 dependencies for known issues, found 27 issues, 294 vulnerable paths.

Issues to fix by upgrading:

  Upgrade globby@8.0.1 to globby@10.0.0 to fix
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905] in glob-parent@3.1.0
    introduced by globby@8.0.1 > fast-glob@2.2.1 > glob-parent@3.1.0 and 1 other path(s)

  Upgrade webpack@4.8.1 to webpack@4.26.0 to fix
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SSRI-1246392] in ssri@5.3.0
    introduced by webpack@4.8.1 > uglifyjs-webpack-plugin@1.2.5 > cacache@10.0.4 > ssri@5.3.0


Patchable issues:

  Patch available for extend@3.0.1
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/npm:extend:20180424] in extend@3.0.1
    introduced by ngrok@3.0.1 > request@2.85.0 > extend@3.0.1 and 1 other path(s)

  Patch available for hoek@4.2.0
  ✗ Prototype Pollution [Medium Severity][https://security.snyk.io/vuln/npm:hoek:20180212] in hoek@4.2.0
    introduced by ngrok@3.0.1 > request@2.85.0 > hawk@6.0.2 > hoek@4.2.0 and 3 other path(s)

  Patch available for stringstream@0.0.5
  ✗ Uninitialized Memory Exposure [Medium Severity][https://security.snyk.io/vuln/npm:stringstream:20180511] in stringstream@0.0.5
    introduced by ngrok@3.0.1 > request@2.85.0 > stringstream@0.0.5


Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-AJV-584908] in ajv@6.5.0
    introduced by ngrok@3.0.1 > request@2.85.0 > har-validator@5.0.3 > ajv@5.5.2 and 3 other path(s)
  This issue was fixed in versions: 6.12.3
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@2.1.1
    introduced by webpack@4.8.1 > watchpack@1.6.0 > chokidar@2.0.3 > fsevents@1.2.3 > node-pre-gyp@0.9.1 > npmlog@4.1.2 > gauge@2.7.4 > strip-ansi@3.0.1 > ansi-regex@2.1.1 and 2 other path(s)
  This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-ASYNC-2441827] in async@2.6.1
    introduced by react-docgen@4.1.1 > async@2.6.1
  This issue was fixed in versions: 2.6.4, 3.2.2
  ✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-DECOMPRESSZIP-73598] in decompress-zip@0.3.0
    introduced by ngrok@3.0.1 > decompress-zip@0.3.0
  This issue was fixed in versions: 0.2.2, 0.3.2
  ✗ Exposure of Resource to Wrong Sphere [Low Severity][https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987] in fsevents@1.2.3
    introduced by webpack@4.8.1 > watchpack@1.6.0 > chokidar@2.0.3 > fsevents@1.2.3
  This issue was fixed in versions: 1.2.11
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-HAWK-2808852] in hawk@6.0.2
    introduced by ngrok@3.0.1 > request@2.85.0 > hawk@6.0.2
  This issue was fixed in versions: 9.0.1
  ✗ Prototype Pollution [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-JSON5-3182856] in json5@2.2.1
    introduced by @babel/core@7.2.2 > json5@2.2.1 and 1 other path(s)
  This issue was fixed in versions: 1.0.2, 2.2.2
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922] in json-schema@0.2.3
    introduced by ngrok@3.0.1 > request@2.85.0 > http-signature@1.2.0 > jsprim@1.4.1 > json-schema@0.2.3
  This issue was fixed in versions: 0.4.0
  ✗ Validation Bypass [Low Severity][https://security.snyk.io/vuln/SNYK-JS-KINDOF-537849] in kind-of@6.0.2
    introduced by webpack@4.8.1 > micromatch@3.1.10 > kind-of@6.0.2 and 156 other path(s)
  This issue was fixed in versions: 6.0.3
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-3050818] in minimatch@3.0.4
    introduced by react-docgen@4.1.1 > node-dir@0.1.17 > minimatch@3.0.4 and 2 other path(s)
  This issue was fixed in versions: 3.0.5
  ✗ Prototype Pollution [Low Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795] in minimist@1.2.5
    introduced by babel-loader@8.0.5 > mkdirp@0.5.5 > minimist@1.2.5 and 6 other path(s)
  This issue was fixed in versions: 0.2.4, 1.2.6
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-MIXINDEEP-450212] in mixin-deep@1.3.1
    introduced by webpack@4.8.1 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > mixin-deep@1.3.1 and 15 other path(s)
  This issue was fixed in versions: 2.0.1, 1.3.2
  ✗ Prototype Poisoning [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-3153490] in qs@6.5.2
    introduced by ngrok@3.0.1 > request@2.85.0 > qs@6.5.2
  This issue was fixed in versions: 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3
  ✗ Server-side Request Forgery (SSRF) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-REQUEST-3361831] in request@2.85.0
    introduced by ngrok@3.0.1 > request@2.85.0
  No upgrade or patch available
  ✗ Cross-site Scripting (XSS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840] in serialize-javascript@1.5.0
    introduced by webpack@4.8.1 > uglifyjs-webpack-plugin@1.2.5 > serialize-javascript@1.5.0
  This issue was fixed in versions: 2.1.1
  ✗ Arbitrary Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062] in serialize-javascript@1.5.0
    introduced by webpack@4.8.1 > uglifyjs-webpack-plugin@1.2.5 > serialize-javascript@1.5.0
  This issue was fixed in versions: 3.1.0
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-SETVALUE-1540541] in set-value@0.4.3
    introduced by webpack@4.8.1 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > set-value@2.0.0 and 31 other path(s)
  This issue was fixed in versions: 4.0.1, 2.0.1
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-SETVALUE-450213] in set-value@0.4.3
    introduced by webpack@4.8.1 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > set-value@2.0.0 and 31 other path(s)
  This issue was fixed in versions: 2.0.1, 3.0.1
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TRIM-1017038] in trim@0.0.1
    introduced by markdown-to-ast@4.0.0 > remark@7.0.1 > remark-parse@3.0.1 > trim@0.0.1
  This issue was fixed in versions: 0.0.3
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0
    introduced by webpack@4.8.1 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 15 other path(s)
  This issue was fixed in versions: 2.0.1
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-Y18N-1021887] in y18n@4.0.0
    introduced by webpack@4.8.1 > uglifyjs-webpack-plugin@1.2.5 > cacache@10.0.4 > y18n@4.0.0
  This issue was fixed in versions: 3.2.2, 4.0.1, 5.0.5
  ✗ Insecure Randomness [Medium Severity][https://security.snyk.io/vuln/npm:cryptiles:20180710] in cryptiles@3.1.2
    introduced by ngrok@3.0.1 > request@2.85.0 > hawk@6.0.2 > cryptiles@3.1.2
  This issue was fixed in versions: 3.1.3, 4.1.2

[michaelrambeau]

After v3.0.2 release (2023-05-15)

The version 3.0.2 should solve some issues as a deprecated dependency (request) was removed (details: #373 )

Output of yarn audit:

95 vulnerabilities found - Packages audited: 2175
Severity: 3 Low | 10 Moderate | 65 High | 17 Critical

versions	3.0.1	3.0.2
Low	9	3 (-6)
Moderate	27	10 (-17)
High	189	65 (-124)
Critical	62	17 (-45)
Total	287	95 (-192)

[michaelrambeau]

After v3.0.3 release (2023-05-22)

The version 3.0.2 should solve some issues as a deprecated dependency (request) was removed (details: #373 )

Output of yarn audit

34 vulnerabilities found - Packages audited: 1306
Severity: 6 Moderate | 28 High

Vulnerabilities	Low	Moderate	High	Critical	Total
2.7.10	9	44	230	68	351
2.8.2	9	43	232	69	353
3.0.0	3	25	153	56	237
3.0.2	3	10	65	17	95
3.0.3	0	6	38	0	43

Output of snyk test

Tested 460 dependencies for known issues, found 4 issues, 4 vulnerable paths.


Patchable issues:

  Patch available for extend@3.0.1
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/npm:extend:20180424] in extend@3.0.1
    introduced by @textlint/markdown-to-ast@13.3.2 > unified@9.2.2 > extend@3.0.1


Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-ASYNC-2441827] in async@2.6.1
    introduced by react-docgen@4.1.1 > async@2.6.1
  This issue was fixed in versions: 2.6.4, 3.2.2
  ✗ Prototype Pollution [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-JSON5-3182856] in json5@2.2.1
    introduced by react-docgen@4.1.1 > @babel/core@7.4.4 > json5@2.2.1
  This issue was fixed in versions: 1.0.2, 2.2.2
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-3050818] in minimatch@3.0.4
    introduced by react-docgen@4.1.1 > node-dir@0.1.17 > minimatch@3.0.4
  This issue was fixed in versions: 3.0.5