Joomla! Issue Tracker | Joomla! CMS #33564 - [4] npm audit report 8 high severity vulnerabilities

Closed
6 May 2021
Medium
Build: staging
# 33564

PhilETaylor
5 May 2021

added 930 packages, and audited 931 packages in 39s

8 high severity vulnerabilities

npm audit report

merge  <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
fix available via `npm audit fix --force`
Will install watch@0.13.0, which is a breaking change
node_modules/merge
  exec-sh  <=0.3.1
  Depends on vulnerable versions of merge
  node_modules/exec-sh
    watch  >=0.14.0
    Depends on vulnerable versions of exec-sh
    node_modules/watch

xmlhttprequest-ssl  <1.6.2
Severity: high
Arbitrary Code Injection - https://npmjs.com/advisories/1665
fix available via `npm audit fix --force`
Will install karma@6.3.2, which is a breaking change
node_modules/xmlhttprequest-ssl
  engine.io-client  1.6.0 - 4.1.3
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  1.4.0 - 3.1.3
    Depends on vulnerable versions of engine.io-client
    node_modules/socket.io-client
      socket.io  1.0.0-pre - 1.0.0 || 1.4.0 - 3.0.0-rc4
      Depends on vulnerable versions of socket.io-client
      node_modules/socket.io
        karma  0.13.19 - 5.2.3
        Depends on vulnerable versions of socket.io
        node_modules/karma

8 high severity vulnerabilities`

PhilETaylor - open - 5 May 2021

joomla-cms-bot - change - 5 May 2021

Labels

Added: ?

joomla-cms-bot - labeled - 5 May 2021

dgrammatiko - comment - 6 May 2021

The problem is that the branch https://github.com/joomla/joomla-cms/tree/4.0-dev is not the main/master branch. Once the project switches branches and 4.0-dev becomes the main they can use https://www.whitesourcesoftware.com/free-developer-tools/renovate which will automatically create PRs for any npm/composer updates and then either merge them automatically (unlikely as the tests are not sufficient) or have couple tests and hen get the PRs merged.

Manually updating npm/composer is inefficient and will always be laggy...

PhilETaylor - comment - 6 May 2021

I understand all that, however this is still an issue to be addressed, manually for now.

dgrammatiko - comment - 6 May 2021

however this is still an issue to be addressed

Honestly, if the vulnerabilities affect Joomla's build tools, eg devDependencies they are not really vulnerabilities, as the code will only be used locally. If they affect the assets that Joomla actually ships, eg dependencies they need an immediate patch

PhilETaylor - change - 6 May 2021

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2021-05-06 10:04:41
Closed_By		⇒	PhilETaylor

PhilETaylor - close - 6 May 2021

PhilETaylor - comment - 6 May 2021

And how does one tell the difference easily, automatedly?

PhilETaylor - comment - 7 May 2021

14 vulnerabilities (7 moderate, 7 high) :-)

brianteeman - comment - 7 May 2021

These are all just build tools and not used in anything shipped

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#33564] - [4] npm audit report 8 high severity vulnerabilities

Add a Comment