Project

General

Profile

Actions

Bug #21033

closed

Upgrade dependencies to address security issues

Added by Lucas Di Pentima 5 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Workbench2
Story points:
-
Release relationship:
Auto

Description

There're several security reports on GitHub now that Workbench2 is integrated with the main Arvados repository.


Related issues

Related to Arvados Workbench 2 - Idea #21037: Upgrade 'react-scripts' package and its descendants to address pending security issuesNewActions
Actions #1

Updated by Lucas Di Pentima 5 months ago

Updates at commit:5e5f7e7 - branch 21033-wb2-dependency-upgrades
Test run at wb2 pipeline (arvados-workbench2|c2ba017 - branch 21033-wb2-dependency-upgrades): developer-tests-workbench2: #1356

Upgrades the following dependency packages:

  • minimist
  • loader-utils
  • eventsource
  • url-parse
  • json-schema
  • http-cache-semantics
  • jszip
  • ua-parser-js
  • json5
  • qs
  • decode-uri-component
  • minimatch
  • terser
  • node-sass
  • scss-tokenizer
  • sass-graph
  • moment
  • async
  • axios
  • ansi-regex
  • lodash-es
  • node-fetch
  • follow-redirects
  • nth-check
  • tmpl
  • tar
  • glob-parent
  • word-wrap
  • semver
  • postcss
  • browserslist

Note that some of these are required more than once by other packages, and with older versions, so some of the security warnings will remain. The most prominent offender is react-scripts version 3.4.4, and its descendants. Upgrading this package is no trivial task and I think should be scheduled appropriately.

Actions #2

Updated by Lucas Di Pentima 5 months ago

This is the remaining state:

$ yarn npm audit -R -A
├─ @cypress/request: 2.88.5
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: https://github.com/advisories/GHSA-p8p7-x288-28g6
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: <=2.88.12
│  ├─ Patched Versions: >=3.0.0
│  ├─ Via: cypress
│  └─ Recommendation: Upgrade to version 3.0.0 or later
│
├─ ansi-html: 0.0.7
│  ├─ Issue: Uncontrolled Resource Consumption in ansi-html
│  ├─ URL: https://github.com/advisories/GHSA-whgm-jr23-g3j9
│  ├─ Severity: high
│  ├─ Vulnerable Versions: <0.0.8
│  ├─ Patched Versions: >=0.0.8
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 0.0.8 or later
│
├─ browserslist: 4.10.0
│  ├─ Issue: Regular Expression Denial of Service in browserslist
│  ├─ URL: https://github.com/advisories/GHSA-w8qv-6jwh-64r5
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: >=4.0.0 <4.16.5
│  ├─ Patched Versions: >=4.16.5
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 4.16.5 or later
│
├─ glob-parent: 3.1.0
│  ├─ Issue: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex
│  ├─ URL: https://github.com/advisories/GHSA-ww39-953v-wcq6
│  ├─ Severity: high
│  ├─ Vulnerable Versions: <5.1.2
│  ├─ Patched Versions: >=5.1.2
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 5.1.2 or later
│
├─ immer: 1.10.0
│  ├─ Issue: Prototype Pollution in immer
│  ├─ URL: https://github.com/advisories/GHSA-33f9-j839-rf8h
│  ├─ Severity: critical
│  ├─ Vulnerable Versions: <9.0.6
│  ├─ Patched Versions: >=9.0.6
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 9.0.6 or later
│
├─ jsdom: 11.12.0
│  ├─ Issue: Insufficient Granularity of Access Control in JSDom
│  ├─ URL: https://github.com/advisories/GHSA-f4c9-cqv8-9v98
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: <=16.4.0
│  ├─ Patched Versions: >=16.5.0
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 16.5.0 or later
│
├─ minimatch: 3.0.4
│  ├─ Issue: minimatch ReDoS vulnerability
│  ├─ URL: https://github.com/advisories/GHSA-f8q6-p94x-37v3
│  ├─ Severity: high
│  ├─ Vulnerable Versions: <3.0.5
│  ├─ Patched Versions: >=3.0.5
│  ├─ Via: babel-core, node-sass, fstream, react-scripts, node-sass-chokidar
│  └─ Recommendation: Upgrade to version 3.0.5 or later
│
├─ node-forge: 0.10.0
│  ├─ Issue: Open Redirect in node-forge
│  ├─ URL: https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: <1.0.0
│  ├─ Patched Versions: >=1.0.0
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 1.0.0 or later
│
├─ node-notifier: 5.4.5
│  ├─ Issue: OS Command Injection in node-notifier
│  ├─ URL: https://github.com/advisories/GHSA-5fw9-fq32-wv5p
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: <8.0.1
│  ├─ Patched Versions: >=8.0.1
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 8.0.1 or later
│
├─ nth-check: 1.0.2
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: https://github.com/advisories/GHSA-rp65-9cf3-cjxr
│  ├─ Severity: high
│  ├─ Vulnerable Versions: <2.0.1
│  ├─ Patched Versions: >=2.0.1
│  ├─ Via: enzyme, react-scripts
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ postcss: 7.0.21
│  ├─ Issue: PostCSS line return parsing error
│  ├─ URL: https://github.com/advisories/GHSA-7fh5-64p2-3v2j
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: <8.4.31
│  ├─ Patched Versions: >=8.4.31
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 8.4.31 or later
│
├─ qs: 6.7.0
│  ├─ Issue: qs vulnerable to Prototype Pollution
│  ├─ URL: https://github.com/advisories/GHSA-hrpp-h998-j3pp
│  ├─ Severity: high
│  ├─ Vulnerable Versions: >=6.7.0 <6.7.3
│  ├─ Patched Versions: >=6.7.3
│  ├─ Via: node-sass, wait-on, react-scripts
│  └─ Recommendation: Upgrade to version 6.7.3 or later
│
├─ react-dev-utils: 10.2.1
│  ├─ Issue: react-dev-utils OS Command Injection in function `getProcessForPort`
│  ├─ URL: https://github.com/advisories/GHSA-5q6m-3h65-w53x
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: >=0.4.0 <11.0.4
│  ├─ Patched Versions: >=11.0.4
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 11.0.4 or later
│
├─ request: 2.88.2
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: https://github.com/advisories/GHSA-p8p7-x288-28g6
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: <=2.88.2
│  ├─ Patched Versions: <0.0.0
│  ├─ Via: node-sass, wait-on, react-scripts
│  └─ Recommendation: None
│
├─ semver: 7.0.0
│  ├─ Issue: semver vulnerable to Regular Expression Denial of Service
│  ├─ URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: >=7.0.0 <7.5.2
│  ├─ Patched Versions: >=7.5.2
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 7.5.2 or later
│
├─ shell-quote: 1.7.2
│  ├─ Issue: Improper Neutralization of Special Elements used in a Command in Shell-quote
│  ├─ URL: https://github.com/advisories/GHSA-g4rg-993r-mgx7
│  ├─ Severity: critical
│  ├─ Vulnerable Versions: <=1.7.2
│  ├─ Patched Versions: >=1.7.3
│  ├─ Via: react-scripts
│  └─ Recommendation: Upgrade to version 1.7.3 or later
│
└─ tough-cookie: 2.5.0
   ├─ Issue: tough-cookie Prototype Pollution vulnerability
   ├─ URL: https://github.com/advisories/GHSA-72xf-g2v4-qvf3
   ├─ Severity: moderate
   ├─ Vulnerable Versions: <4.1.3
   ├─ Patched Versions: >=4.1.3
   ├─ Via: node-sass, wait-on, react-scripts
   └─ Recommendation: Upgrade to version 4.1.3 or later
Actions #3

Updated by Lucas Di Pentima 5 months ago

  • Related to Idea #21037: Upgrade 'react-scripts' package and its descendants to address pending security issues added
Actions #4

Updated by Lucas Di Pentima 5 months ago

  • Status changed from In Progress to Resolved
Actions

Also available in: Atom PDF