-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPM audit reports the package with high vulnerability (Denial of Service) #1446
Comments
And there goes CI pipelines across the globe... |
Seems like a key bit here that limits the scope:
Wouldn't this be a short term work around - |
I get the security warning from NPM about this package too. Using |
Yeah, projects using |
Is there a fix for this in the works? |
Our pipeline returns this audit failure |
|
sam with |
So you can provisionally fix this by moving Once the package is in your |
Same for |
audit-ci npm dependency can also be used instead of npm audit to whitelist this particular dependency. |
Yes, if you use https://github.com/IBM/audit-ci, you can whitelist $ npx audit-ci --high --whitelist=http-proxy CautionIt's not recommended to use packages with vulnerabilities. In my case I've had to whitelist this in order for Travis CI to continue working. |
Sorry for noob question, but does this mean it isn't risky to use locally? |
In theory it still is but by whitelisting you're intentionally ignoring the vulnerability. However i think this particulair vulnerability is more of a threat when published on a server. |
@Jackques, I tried running the whitelist command and it had no luck for me. Would it work if you were to CRA and then run --> npm uninstall http-proxy ? |
If you use https://github.com/IBM/audit-ci then you should be able to set the error id (which relates to the security vul. issue id) in a .json. Check the audit-cli package for details. No need to reinstall the package in order to whitelist it. Once you have got the security id in your witelist the package should no longer appear in the security report. |
@Jackques, Thank you! What I meant to say was that what if you dont whitelist it? Else: |
I'm actually more concerned as to what specifically is wrong within the http-proxy package that is causing the error in the first place. |
Disappointed that people are recommending whitelisting http-proxy or worse still completely disabling audit of devDependencies in response to this. I would guess that 90% of the people that read this thread and take that advice probably don't understand the full implications of it and will not reinstate the audit after http-proxy is fixed. It's not just vulnerabilities that audit guards against but intentional exploits also. Just think about what things the code in those devDependencies has access to when it runs on your local machine or build agent:
In summary: please don't do that. |
According to the advisory, this was reported back in February. |
What's the eta on this getting fixed? |
Maybe this happened due to a potential protoypePollutionAttack; possibly? |
https://blog.0daylabs.com/2019/02/15/prototype-pollution-javascript/ |
I'm definitely sure 99.99% of the people fully understand the risks and issues with those SUGGESTIONS. I wouldn't do it if I was going to release a production version which would access my cloud resources, keys, etc! I suggest focusing on fixing the issue rather than expressing useless opinions. We are not 2-year-old developers! |
Using http-proxy with |
I get the security warning from NPM about this package too. Using
|
will be resolved once/if #1447 is merged and released. |
Well if you were to have http-proxy as a direct dependancy (which i doubt since it's also a dependancy of eventually angular, react etc.) then it would resolve the error. But like i said in between the paranthesis, you probably have an app built on on of those previously mentioned frameworks or at the very least something which relies on the http-proxy dependancy, thus you cannot resolve this issue by uninstalling it unless you install the very package which ultimately has http-proxy as a dependancy. |
If #1447 is merged and released this exploit after audit will be resolved? It's a good fact to run npm audit fix on all our React apps live on the web, isn't it? |
when i go here for more info, it says, |
The npm advisory lists the newly published Not sure if that is normal and it still needs to be reviewed by someone at npm, or #1447 unfortunately didn't do the trick. |
That is normal: they work on a whitelist :) I've sent an email to security@npm with links to this issue & the PR, commenting that 1.18.1 patches the advisory & should be whitelisted. |
Wonderful! Thank you @G-Rath! |
Well yes, but since most of us use packages (e.g. http-proxy-middleware) which in turn use http-proxy as a dependancy those packages will need to use the alternatives themselves first. |
Thanks @G-Rath can you post on here when it has been whitelisted?
Got the info from https://registry.npmjs.org/http-proxy |
The advisory has been updated: https://www.npmjs.com/advisories/1486
|
Since released and advisory is updated, I'm closing this. |
Anyone mind telling me how to make the update with npm? DO i just change the version number in the package-lock.json file or ....? |
|
Edit: see @Hypnosphi's comment for how to narrow down the focus #1446 (comment) Add this to your
Yarn supports the If using NPM, see https://www.npmjs.com/package/npm-force-resolutions |
Forcing resolutions (even if range) is a bad practice and should be avoided if possible, as it may cause other breakages. Not to say that it wouldn't work in this specific instance (it probably would). |
Sorry y'all I was asleep when the email came in:
|
That is a blanket statement. Forcing resolutions works fine in our project. But I would agree that it needs to be evaluated on a case-by-case basis. Valid reasons for using: https://classic.yarnpkg.com/en/docs/selective-version-resolutions/#toc-why-would-you-want-to-do-this |
Forcing resolution forces all instances of that package in the tree to use the same major. This can obviously break (it's one of the things that semver solves). Of course, if your tree already contains the same major, it can work, and even improve deduping. Or, if usages of those packages is limited, it might not blow up. Or, if the majors are compatible, it might also work. In addition, using it for production dependencies does not affect your consumers. That's an important aspect usually forgotten. It's one of those functionalities that you better understand the implications before using, and I wouldn't personally suggest it in yet-another-issue as a go-to solution. EDIT: I remember people also suggesting it for the |
Thanks, I am using netlify and I was also getting the same error yesterday. It got resolved through npm audit fix and just delete http-proxy from node-modules then do npm i.
High Denial of Service Package http-proxy Patched in No patch available Dependency of react-scripts Path react-scripts > webpack-dev-server > http-proxy-middleware > More info https://npmjs.com/advisories/1486 Low Prototype Pollution Package yargs-parser Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 Dependency of react-scripts Path react-scripts > webpack-dev-server > yargs > yargs-parser More info https://npmjs.com/advisories/1500 found 2 vulnerabilities (1 low, 1 high) in 1690 scanned packages |
That's why I always specify the parent, e.g: "resolutions": {
"**/http-proxy-middleware/http-proxy": "^1.18.1"
} Or even the full path: "resolutions": {
"react-scripts/webpack-dev-server/http-proxy-middleware/http-proxy": "^1.18.1"
} |
I can't say I think this is much better.
Referring to the above example, forced resolutions might actually cause future breakage. Consider a case where |
More info https://www.npmjs.com/advisories/1486
The text was updated successfully, but these errors were encountered: