fun2src

fun2src

Github alert: "One of your dependencies has a security vulnerability"

Hello everyone!

I’m developing a Phoenix project (webpack). Yesterday, I received a notification
(from Github) which says:

“Known high severity security vulnerability detected in js-yaml < 3.13.1 defined in package-lock.json.
package-lock.json update suggested: js-yaml ~> 3.13.1.”

npm audit output:

=== npm audit security report ===                        
                                                                                
# Run  npm install --save-dev css-loader@2.1.1  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Run  npm install --save-dev optimize-css-assets-webpack-plugin@5.0.1  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Run  npm install --save-dev webpack-cli@3.3.2  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
# Run  npm update fsevents --depth 4  to resolve 1 vulnerability
found 7 vulnerabilities (2 low, 2 moderate, 3 high) in 14908 scanned packages
  run `npm audit fix` to fix 1 of them.
  6 vulnerabilities require semver-major dependency updates.

I’m a newbie in npm and web pack. How do I patch the security vulnerabilities
mentioned in my post? ( … without breaking the project)

Marked As Solved

peerreynders

peerreynders

Only 1 of 7 is fixable at this point in time.

Also those dependencies may just relate to webpack directly. The dependencies deployed to the web page in production should be of primary interest.

To assess the vulnerabilities:

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install --save-dev optimize-css-assets-webpack-plugin@5.0.1  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ optimize-css-assets-webpack-plugin [dev]                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ optimize-css-assets-webpack-plugin > cssnano > postcss-svgo  │
│               │ > svgo > js-yaml                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/788                             │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ optimize-css-assets-webpack-plugin [dev]                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ optimize-css-assets-webpack-plugin > cssnano > postcss-svgo  │
│               │ > svgo > js-yaml                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm install --save-dev webpack-cli@3.3.2  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-cli [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-cli > jscodeshift > micromatch > braces              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-cli [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-cli > webpack-addons > jscodeshift > micromatch >    │
│               │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 4 vulnerabilities (2 low, 1 moderate, 1 high) in 14404 scanned packages
  4 vulnerabilities require semver-major dependency updates.
$ 

Note the more info link one each entry, e.g. :

https://npmjs.com/advisories/788

https://www.npmjs.com/advisories/813

  • upgrading may fix the issue - provided it doesn’t break the package that uses it.
  • optimize-css-assets-webpack-plugin is a webpack plugin - so unless that plugin sneaks js-yaml into the bundle (unlikely given its purpose) there shouldn’t be any production exposure.
$ npm audit fix
npm WARN assets No description

up to date in 4.251s
fixed 0 of 4 vulnerabilities in 14404 scanned packages
  2 package updates for 4 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
$ npm audit fix --force
npm WARN using --force I sure hope you know what you are doing.

> webpack-cli@3.3.2 postinstall > node ./bin/opencollective.js
npm WARN assets No description

+ optimize-css-assets-webpack-plugin@5.0.1
+ webpack-cli@3.3.2
added 70 packages from 46 contributors, removed 575 packages, updated 51 packages and moved 2 packages in 12.738s
fixed 4 of 4 vulnerabilities in 14404 scanned packages
  2 package updates for 4 vulns involved breaking changes
  (installed due to `--force` option)
$  

Alternately more selectively as advised by npm audit:

$ npm install --save-dev webpack-cli@3.3.2

> webpack-cli@3.3.2 postinstall
> node ./bin/opencollective.js
npm WARN assets No description

+ webpack-cli@3.3.2
added 6 packages from 8 contributors, removed 380 packages, updated 13 packages, moved 2 packages and audited 7547 packages in 8.173s
found 2 vulnerabilities (1 moderate, 1 high)
  run `npm audit fix` to fix them, or `npm audit` for details
$ npm install --save-dev optimize-css-assets-webpack-plugin@5.0.1
npm WARN assets No description

+ optimize-css-assets-webpack-plugin@5.0.1
added 68 packages from 41 contributors, removed 197 packages, updated 34 packages and audited 7680 packages in 8.158s
found 0 vulnerabilities

$

Also Liked

peerreynders

peerreynders

Running

npm install --save-dev optimize-css-assets-webpack-plugin@5.0.1

and

npm install --save-dev webpack-cli@3.3.2

in the assets directory accomplishes the same thing - package.json:

{
  "repository": {},
  "license": "MIT",
  "scripts": {
    "deploy": "webpack --mode production",
    "watch": "webpack --mode development --watch"
  },
  "dependencies": {
    "phoenix": "file:../deps/phoenix",
    "phoenix_html": "file:../deps/phoenix_html"
  },
  "devDependencies": {
    "@babel/core": "^7.0.0",
    "@babel/preset-env": "^7.0.0",
    "babel-loader": "^8.0.0",
    "copy-webpack-plugin": "^4.5.0",
    "css-loader": "^2.1.1",
    "mini-css-extract-plugin": "^0.4.0",
    "optimize-css-assets-webpack-plugin": "^5.0.1",
    "uglifyjs-webpack-plugin": "^1.2.4",
    "webpack": "4.4.0",
    "webpack-cli": "^3.3.2"
  }
}

Phoenix doesn’t care about webpack - it just installs it as a convenience feature. Apart from maybe the channel and html helpers the JavaScript assets take on a life of their own after project creation.

OvermindDL1

OvermindDL1

Well those just look like webpack processing stuff, so I’d say just update it all and try a build, if it fails that’s why you have git. :slight_smile:

fun2src

fun2src

Thanks a lot for your assistance!

Where Next?

Popular in Questions Top

_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
New
9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
chrisalley
ExUnit now has describe blocks which is a welcome addition coming from RSpec. In the docs, it states that nested hierarchies of describe ...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
srinivasu
How to handle excepions in elixir? Suppose i have A, B, C ,D, E modules. and each module has get() function. A.get() method will call t...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

Other popular topics Top

sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 42920 311
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a &gt; b) do {:ok, "a"} end if (a &lt; b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" =&gt; #BSON.ObjectId&lt;58eb1a7a9ad169198c3dXXXX&gt;, "email" =&gt; ...
New

Latest on Elixir Forum

We're in Beta

About us Mission Statement