Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@nrwl/web:file-server has security vulnerability #8450

Closed
puku0x opened this issue Jan 10, 2022 · 5 comments · Fixed by #8465
Closed

@nrwl/web:file-server has security vulnerability #8450

puku0x opened this issue Jan 10, 2022 · 5 comments · Fixed by #8465
Labels
outdated type: bug

Comments

@puku0x
Copy link
Contributor

puku0x commented Jan 10, 2022
edited

Current Behavior

http-server which is used in @nrwl/web:file-server has been broken by colors@1.4.2.

% npm ls colors
workspace@0.0.0
├─┬ @nrwl/web@13.4.3
│ └─┬ http-server@14.0.0
│   └── colors@1.4.2 👈 https://github.com/Marak/colors.js/issues/285
└─┬ cypress@9.2.0
  └─┬ cli-table3@0.6.1
    └── colors@1.4.0

Expected Behavior

colors@1.4.0 is used.

Fortunately, there is a fix PR.
http-party/http-server#783

Steps to Reproduce

Create a workspace and use @nrwl/web:file-server to serve an application.

I think most users are not affected because they use @nrwl/web:dev-server.

Failure Logs

Environment

Node : 16.11.1
  OS   : darwin x64
  npm  : 8.0.0
  
  nx : 13.4.3
  @nrwl/angular : undefined
  @nrwl/cli : 13.4.3
  @nrwl/cypress : 13.4.3
  @nrwl/devkit : 13.4.3
  @nrwl/eslint-plugin-nx : 13.4.3
  @nrwl/express : undefined
  @nrwl/jest : 13.4.3
  @nrwl/linter : 13.4.3
  @nrwl/nest : undefined
  @nrwl/next : undefined
  @nrwl/node : undefined
  @nrwl/nx-cloud : undefined
  @nrwl/react : 13.4.3
  @nrwl/react-native : undefined
  @nrwl/schematics : undefined
  @nrwl/tao : 13.4.3
  @nrwl/web : 13.4.3
  @nrwl/workspace : 13.4.3
  @nrwl/storybook : 13.4.3
  @nrwl/gatsby : undefined
  typescript : 4.4.4
  rxjs : 6.6.7
  ---------------------------------------
  Community plugins:
@puku0x puku0x changed the title @nrwl:web/file-server has security vulnerability @nrwl/web:file-server has security vulnerability Jan 10, 2022
@SerkanSipahi
Copy link

SerkanSipahi commented Jan 10, 2022
edited

I can confirm this but I get the same issue when running npm run affected:test. This probably affects all Nx versions that install v.1.4.2 with every installation.

As long as we don't have a patch, we can force the version of colors.js to v.1.4.0 by running npm i --save-dev colors@1.4.0. This works so far fine for me.

npm ls colors

├── colors@1.4.0
├─┬ cypress@7.3.0
│ └─┬ cli-table3@0.6.0 <---
│   └── colors@1.4.0  deduped
├─┬ karma@6.3.6 <---
│ └── colors@1.4.0  deduped
└─┬ npm-check-updates@11.8.5
  └─┬ cli-table@0.3.11
    └── colors@1.0.3

@puku0x
Copy link
Contributor Author

puku0x commented Jan 10, 2022

Karma😂
karma-runner/karma#3741

@SerkanSipahi
Copy link

SerkanSipahi commented Jan 10, 2022
edited

@puku0x yeah, and lot of other libs! Hopefully the fix will be merged as fast as possible!

@SerkanSipahi SerkanSipahi mentioned this issue Jan 10, 2022
Merged
@jaysoo
Copy link
Member

jaysoo commented Jan 10, 2022

We're exploring ways around the vulnerability if the patch isn't landed in http-server.

For yarn and npm 8 users, please use resolutions or overrides, everyone else stay tuned!

@jaysoo jaysoo mentioned this issue Jan 10, 2022
Merged
@github-actions
Copy link

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(web): update http-server to 14.1.0 jaysoo/nx
3 participants
@jaysoo @SerkanSipahi @puku0x