Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit warnings #3488

Closed
rogerta opened this issue Jul 26, 2021 · 2 comments
Closed

npm audit warnings #3488

rogerta opened this issue Jul 26, 2021 · 2 comments

Comments

@rogerta
Copy link

rogerta commented Jul 26, 2021

I just pulled from main@52a4fcd08c703dbf41d8978ca8d120fb9ffd882c (dated Mon Jul 26 10:31:11 2021 -0400) and got the following npm warning during npm install:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mochapack [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mochapack > glob-parent                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1751                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 796 scanned packages
  1 vulnerability requires manual review. See the full report for details.
@rogerta rogerta changed the title npm audir warnings npm audit warnings Jul 26, 2021
@kberg
Copy link
Collaborator

kberg commented Jul 26, 2021

Yeah, I saw that. Interesting, huh?

I have read about the vuln and I assert this is not a problem for us. Mochapack should definitely patch this though.

If you read https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 which goes into the detail about the vulnerability, it creates a potential DOS attack with bad regular expressions. What that article says (as best as I can tell, anyway) is that very long input strings could result in very slow regular expression performance, thus being a possible attack vector by slowing down servers.

We only use mochapack for compilation, never for serving. So at worst, it will slow our compile phase horribly, but cannot impact our runtime.

In fact, I bet the only reason mochapack isn't rushing to patch is that it's probably never on the serving path.

@bafolts
Copy link
Collaborator

bafolts commented Jul 27, 2021

This is duplicate of sysgears/mochapack#107

@bafolts bafolts closed this as completed Jul 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kberg @bafolts @rogerta