Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies #629

Open
7 tasks
m5r opened this issue Jul 24, 2024 · 0 comments
Open
7 tasks

Update dependencies #629

m5r opened this issue Jul 24, 2024 · 0 comments
Labels
Type: Technical issue Improve something that users won't notice

Comments

@m5r
Copy link
Member

m5r commented Jul 24, 2024

Describe the issue

Follow-up from #621

npm audit reports 6 vulnerabilities (5 moderate, 1 critical) that we can't address yet:

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install request-promise-native@0.0.0, which is a breaking change
node_modules/request
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    Depends on vulnerable versions of tough-cookie
    node_modules/request-promise-native

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install request-promise-native@0.0.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie

xmldom  *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
fix available via `npm audit fix --force`
Will install dom-compare@0.1.1, which is a breaking change
node_modules/xmldom
  dom-compare  >=0.2.0
  Depends on vulnerable versions of xmldom
  node_modules/dom-compare

6 vulnerabilities (5 moderate, 1 critical)

Describe the improvement you'd like

To summarize the above logs, we need to:

  • replace request and request-promise-native with a more modern alternative because they're both deprecated. Most alternatives proposed are either ESM-only, unstable, or not production ready
  • replace dom-compare. It's not longer maintained and uses a vulnerable version of xmldom. We could fork it and use the more recent version of xmldom, inline the dom comparison logic in cht-conf, or find a maintained alternative. TBD.

Dependencies that cannot be updated until we migrate to ESM:

  • chai
  • chai-as-promised
  • chai-exclude
  • open

Dependencies that need a higher version of Node.js:

  • semantic-release

PouchDB-related dependencies should probably be updated along with cht-core's.

Additionally, xpath has a new minor version available but no changelog is provided.
@m5r m5r added the Type: Technical issue Improve something that users won't notice label Jul 24, 2024
@m5r m5r mentioned this issue Jul 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Technical issue Improve something that users won't notice
Projects
Product Team Activities
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@m5r