Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix securiy vulnerabilities in parcel-bundler and @parcel/logger #5045

Closed
SigurdMW opened this issue Aug 21, 2020 · 6 comments
Closed

Fix securiy vulnerabilities in parcel-bundler and @parcel/logger #5045

SigurdMW opened this issue Aug 21, 2020 · 6 comments
Labels
πŸ”₯ Security

Comments

@SigurdMW
Copy link

#4638 πŸ› bug report
I get multiple vulnerabilities when running Snyks security tool against my dependencies:

[email protected] and @parcel/[email protected] are affected by many security vulnerabilities according to Snyk:
? βœ— High severity vuln found in [email protected], introduced via @parcel/[email protected]
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/SNYK-JS-ACORN-559469
From: @parcel/[email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— High severity vuln found in [email protected]
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/SNYK-JS-ACORN-559469
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— Medium severity vuln found in [email protected]
Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-DOTPROP-543489
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— Medium severity vuln found in [email protected]
Description: Timing Attack
Info: https://snyk.io/vuln/SNYK-JS-ELLIPTIC-511941
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— High severity vuln found in [email protected]
Description: Cryptographic Issues
Info: https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— Medium severity vuln found in [email protected]
Description: Timing Attack
Info: https://snyk.io/vuln/SNYK-JS-ELLIPTIC-511941
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— High severity vuln found in [email protected]
Description: Cryptographic Issues
Info: https://snyk.io/vuln/SNYK-JS-ELLIPTIC-571484
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— Medium severity vuln found in [email protected]
Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
From: @parcel/[email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— Medium severity vuln found in [email protected]
Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— Medium severity vuln found in [email protected]
Description: Remote Memory Exposure
Info: https://snyk.io/vuln/SNYK-JS-NODEADDONAPI-571001
From: [email protected] > [email protected] > [email protected]

? βœ— High severity vuln found in [email protected]
Description: Cross-site Scripting (XSS)
Info: https://snyk.io/vuln/SNYK-JS-SERIALIZETOJS-536958
From: [email protected] > [email protected]

? βœ— Medium severity vuln found in [email protected]
Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— Medium severity issue found in [email protected]
Description: MPL-2.0 license
Info: https://snyk.io/vuln/snyk:lic:npm:mdn-data:MPL-2.0
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

? βœ— Medium severity issue found in [email protected]
Description: MPL-2.0 license
Info: https://snyk.io/vuln/snyk:lic:npm:mdn-data:MPL-2.0
From: [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

πŸŽ› Configuration (.babelrc, package.json, cli command)

n/a

πŸ€” Expected Behavior

Package vulnerabilities are resolved quickly

😯 Current Behavior

Many, open vulnerabilities

πŸ’ Possible Solution

npm audit fix and use Snyk to test you code regularly (they have a free option for Open Source)

πŸ”¦ Context

n/a

πŸ’» Code Sample

n/a

🌍 Your Environment

n/a

Software Version(s)
Parcel
Node
npm/Yarn
Operating System
@ChildishGiant
Copy link

When installing with npm it found "46 high severity vulnerabilities", all of which can be fixed with npm audit fix

@damianobarbati
Copy link

Any news on this? Would a resolutions lock in parcel solve this?

@TractionTeam
Copy link

10 vulns, 4L, 2M, and 2H. Run npm audit fix --force with no clear resolution.

@murdocha
Copy link

murdocha commented Feb 3, 2021

also, seeing a security vulnerability for the "node-forge" dependency of the NPM parcel-bundler distribution (1.12.4).
parcel-bundler references "node-forge":"^0.7.1"

which causes this log from "npm audit" command:

                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  High            Prototype Pollution in node-forge                             
                                                                                
  Package         node-forge                                                    
                                                                                
  Patched in      >= 0.10.0                                                     
                                                                                
  Dependency of   parcel-bundler [dev]                                          
                                                                                
  Path            parcel-bundler > node-forge                                   
                                                                                
  More info       https://npmjs.com/advisories/1561

what is a good short-term/long-term fix?

@tbsvttr
Copy link

tbsvttr commented Feb 6, 2021

The node-forge security issue still exists.

@DeMoorJasper
Copy link
Member

Just realised this is a Parcel 1 issue and probably won't be fixed because of this as it's not a real security issue and you can work around it with resolutions in yarn and npm has something similar..

@mischnic mischnic mentioned this issue Mar 10, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
πŸ”₯ Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@DeMoorJasper @damianobarbati @SigurdMW @murdocha @TractionTeam @tbsvttr @ChildishGiant