Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolve vulnerabilities in frontend dependencies after React upgrade #3328

Open
7 tasks
jtimpe opened this issue Dec 3, 2024 · 1 comment
Open
7 tasks
Assignees
Labels
dev Refined Ticket has been refined at the backlog refinement

Comments

@jtimpe
Copy link

jtimpe commented Dec 3, 2024

Background

After the upgrade to react-scripts version 5 in #1577, we observed several vulnerabilities reported by npm audit. Specifically, the audit shows 29 vulnerabilities with 18 moderate and 11 high severity.

The goal of this ticket is to address and resolve the vulnerabilities, ideally by running npm audit fix. We will also document any unresolved vulnerabilities and create follow-up tickets for issues that require further attention.

Acceptance Criteria

  • All vulnerabilities are resolved, or documented with an explanation if not fixable.
  • Testing Checklist has been run and all tests pass
  • README is updated, if necessary

Tasks

  • Investigate and attempt to resolve vulnerabilities (timebox to 1 sprint)
  • Document unpatched vulnerabilities where possible
  • Create followup tickets for issues requiring more work
  • Run Testing Checklist and confirm all tests pass

Notes

List of vulnerabilities

# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/jest-environment-enzyme/node_modules/braces
node_modules/sane/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/jest-environment-enzyme/node_modules/micromatch
  node_modules/sane/node_modules/micromatch
    @jest/transform  <=24.9.0
    Depends on vulnerable versions of jest-haste-map
    Depends on vulnerable versions of jest-util
    Depends on vulnerable versions of micromatch
    node_modules/jest-environment-enzyme/node_modules/@jest/transform
      @jest/environment  <=24.9.0
      Depends on vulnerable versions of @jest/fake-timers
      Depends on vulnerable versions of @jest/transform
      node_modules/jest-environment-enzyme/node_modules/@jest/environment
        jest-environment-jsdom  10.0.2 - 25.5.0
        Depends on vulnerable versions of @jest/environment
        Depends on vulnerable versions of @jest/fake-timers
        Depends on vulnerable versions of jest-util
        Depends on vulnerable versions of jsdom
        node_modules/jest-environment-enzyme/node_modules/jest-environment-jsdom
          jest-environment-enzyme  *
          Depends on vulnerable versions of jest-environment-jsdom
          node_modules/jest-environment-enzyme
            jest-enzyme  >=5.0.0
            Depends on vulnerable versions of jest-environment-enzyme
            node_modules/jest-enzyme
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/jest-environment-enzyme/node_modules/anymatch
    node_modules/sane/node_modules/anymatch
      jest-haste-map  18.1.0 - 26.6.2
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of jest-util
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of sane
      node_modules/jest-environment-enzyme/node_modules/jest-haste-map
      sane  1.5.0 - 4.1.0
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of micromatch
      node_modules/sane
    jest-message-util  18.5.0-alpha.7da3df39 - 24.9.0
    Depends on vulnerable versions of micromatch
    node_modules/jest-environment-enzyme/node_modules/jest-message-util
      @jest/fake-timers  <=24.9.0
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-environment-enzyme/node_modules/@jest/fake-timers
        jest-util  24.2.0-alpha.0 - 24.9.0
        Depends on vulnerable versions of @jest/fake-timers
        node_modules/jest-environment-enzyme/node_modules/jest-util

cross-spawn  <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
node_modules/sane/node_modules/cross-spawn

decode-uri-component  <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component

json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/tsconfig-paths/node_modules/json5

loader-utils  2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/loader-utils


minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch

nanoid  <3.3.8
Infinite loop in nanoid - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of resolve-url-loader
          node_modules/react-scripts

path-to-regexp  <0.1.12
Severity: moderate
Unpatched `path-to-regexp` ReDoS in 0.1.x - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
fix available via `npm audit fix`
node_modules/path-to-regexp
  express  4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
  Depends on vulnerable versions of path-to-regexp
  node_modules/express

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/request
  jsdom  0.1.20 || 0.2.0 - 16.5.3
  Depends on vulnerable versions of request
  Depends on vulnerable versions of tough-cookie
  node_modules/jest-environment-enzyme/node_modules/jsdom
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    Depends on vulnerable versions of tough-cookie
    node_modules/request-promise-native

semver  >=7.0.0 <7.5.2 || <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install pa11y-ci@2.4.2, which is a breaking change
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/core-js-compat/node_modules/semver
node_modules/jest-environment-enzyme/node_modules/normalize-package-data/node_modules/semver
node_modules/pa11y/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/sane/node_modules/semver
  core-js-compat  3.6.0 - 3.25.0
  Depends on vulnerable versions of semver
  node_modules/core-js-compat
  pa11y  6.0.0-alpha - 6.2.3
  Depends on vulnerable versions of semver
  node_modules/pa11y
    pa11y-ci  >=3.0.0
    Depends on vulnerable versions of pa11y
    node_modules/pa11y-ci

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install jest-enzyme@4.2.0, which is a breaking change
node_modules/jest-environment-enzyme/node_modules/tough-cookie
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

ws  2.1.0 - 5.2.3
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/jest-environment-enzyme/node_modules/ws

29 vulnerabilities (18 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
@jtimpe jtimpe added the dev label Dec 3, 2024
@lhuxraft
Copy link
Collaborator

Most urgent priority following react upgrade

@lhuxraft lhuxraft added Refined Ticket has been refined at the backlog refinement P3 Needed – Routine labels Dec 10, 2024
@lhuxraft lhuxraft changed the title Frontend dependency security vulnerabilities Resolve vulnerabilities in frontend dependencies after React upgrade Dec 12, 2024
@lhuxraft lhuxraft removed the P3 Needed – Routine label Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dev Refined Ticket has been refined at the backlog refinement
Projects
None yet
Development

No branches or pull requests

3 participants