Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in ecstatic dependency #619

Closed
WayneEllery opened this issue Apr 2, 2020 · 12 comments
Closed

Vulnerability in ecstatic dependency #619

WayneEllery opened this issue Apr 2, 2020 · 12 comments

Comments

@WayneEllery
Copy link

WayneEllery commented Apr 2, 2020
edited

There is a moderate security vulnerability with ecstatic and ecstatic is no longer maintained

https://snyk.io/vuln/SNYK-JS-ECSTATIC-540354
@karlhorky
Copy link

Just ran into this.

My workaround for now is to switch my projects over to use serve.

@mattwelke
Copy link

mattwelke commented Apr 3, 2020
edited

I switched over to using Express with its static serving middleware for now. It's not that much more difficult to use than this library when using it programatically. I'll have to find something else for a quick server from the command line though. I got really used to adding http-server as a dev dependency and then using npx http-server -c-1 to serve static pages. It became a really common pattern at my company for example sites.

The creator of ecstatic has made it very clear that they don't want to maintain it anymore (jfhbrook/node-ecstatic#259). I suggest people honor their wishes and move on to another library. Perhaps http-server could use Express under the hood instead.

@hata6502 hata6502 mentioned this issue Apr 5, 2020
Closed
@richdacuban richdacuban mentioned this issue Apr 7, 2020
Closed
@asiby
Copy link

asiby commented May 19, 2020

I am surprised that this is not deployed after more than two week. I switched to https://github.com/RIAEvangelist/node-http-server instead and the vulnerability issue was gone.

@asiby
Copy link

asiby commented May 21, 2020

@hata6502 , ecstatic is not part of our dependencies. It's used internally by the http-server package. We have not control over it so we can't upgrade it.

@edwinm
Copy link

edwinm commented Jun 4, 2020

The vulnerable and no longer maintained ecstatic is still a dependency of http-server. Is http-server itself still maintained?

@WayneEllery
Copy link
Author

The vulnerable and no longer maintained ecstatic is still a dependency of http-server. Is http-server itself still maintained?

Yes. It’s still maintained

@trivikr
Copy link

trivikr commented Jul 2, 2020

ecstatic is a direct dependency for http-server

http-server/package.json

Line 87 in d7bce39

"ecstatic": "^3.3.2",

As per package-lock.json, ecstatic@3.3.2 is used

http-server/package-lock.json

Lines 914 to 924 in d7bce39

"ecstatic": {
"version": "3.3.2",
"resolved": "https://registry.npmjs.org/ecstatic/-/ecstatic-3.3.2.tgz",
"integrity": "sha512-fLf9l1hnwrHI2xn9mEDT7KIi22UDqA2jaCwyCbSUJh9a1V+LEUSL/JO/6TIz/QyuBURWUHrFL5Kg2TtO1bkkog==",
"requires": {
"he": "^1.1.1",
"mime": "^1.6.0",
"minimist": "^1.1.0",
"url-join": "^2.0.5"
}
},

As per GitHub advisory for CVE-2019-10775, there is no patched version available for ecstatic
GHSA-9q64-mpxx-87fg

The dep ecstatic is no longer maintained, as per jfhbrook/node-ecstatic#259

@trivikr
Copy link

trivikr commented Jul 2, 2020

Question for @thornjad who is the most active contributor for http-server, and have published recent releases:

The CVE-2019-10775 was fixed in ecstatic@v4.1.4 jfhbrook/node-ecstatic#266
Is is possible to release http-server@v0.12.4 with dependency on ecstatic@v4.1.4?

@trivikr trivikr mentioned this issue Jul 2, 2020
Merged
@chrispcampbell chrispcampbell mentioned this issue Jul 29, 2020
Closed
@reergymerej
Copy link

reergymerej commented Aug 20, 2020
edited

There's a PR #631 to absorb the functionality in ecstatic. If that is what we're waiting for, can we get a version bump in the interim?

Remediation: Upgrade to ecstatic@4.1.4.

The PR below bumps the version. Someone who understands ecstatic and vows can probably get the tests to pass in a matter of minutes.

@reergymerej reergymerej mentioned this issue Aug 20, 2020
Closed
2 tasks
@reergymerej
Copy link

reergymerej commented Aug 31, 2020
edited

FWIW, you may be able to force the resolution in the interim.
https://www.npmjs.com/package/npm-force-resolutions

Forcing the version results in npm ls balking, but the functionality appears to work. Worth a shot.

Addendum

The library does change the ecstatic version, but then http-server doesn't work. Cool trick, though.

nickautomatic added a commit to nickautomatic/.dotfiles that referenced this issue Oct 8, 2020
@nickautomatic
Add "serve" for quickly serving local folders
f3d561b 
Sometimes it's useful to be able to quickly start up a web server to
serve files from the current directory.

That's what `serve` does. I've also used `http-server` in the past,
which is the same sort of thing but seems to have a major dependency
that's no longer maintained [1], so `serve` seems like a better bet.

`ngrok` can also do this [2], but it's fiddlier than just typing `serve`

[1] http-party/http-server#619
[2] https://ngrok.com/docs#http-file-urls
@tchakabam
Copy link

Is this whole project still deserving to be called maintained at all, if it can not absorb a very critical security patch from a core dependency lib?

@thornjad
Copy link
Member

thornjad commented Jul 6, 2021

Duplicate of #518

@thornjad thornjad marked this as a duplicate of #518 Jul 6, 2021
@thornjad thornjad closed this as completed Jul 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@edwinm @asiby @tchakabam @reergymerej @WayneEllery @karlhorky @mattwelke @trivikr @thornjad