HAP-NodeJS icon indicating copy to clipboard operation
HAP-NodeJS copied to clipboard

Published 20 hours ago verified publisher icon homebridge

HAP-NodeJS 0.10.0 npm package vulnerabilities

Open n0rt0nthec4t opened this issue 3 years ago • 5 comments

Analysis

After installing released 0.10.0, npm audit reports the following issues with package dependancies:

**npm audit fix

up to date, audited 95 packages in 2s

36 packages are looking for funding run npm fund for details

npm audit report

minimist <0.2.1 Severity: moderate Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m fix available via npm audit fix node_modules/optimist/node_modules/minimist optimist >=0.6.0 Depends on vulnerable versions of minimist node_modules/optimist

put * Sensitive Data Exposure in put - https://github.com/advisories/GHSA-v6gv-fg46-h89j fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/put @homebridge/dbus-native * Depends on vulnerable versions of put node_modules/@homebridge/dbus-native hap-nodejs 0.10.0-beta.0 - 0.10.1-beta.0 Depends on vulnerable versions of @homebridge/dbus-native node_modules/hap-nodejs

5 vulnerabilities (3 low, 2 moderate)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force**

Expected Behavior

depend packages need to be updated to use non-vulnerable versions

Steps To Reproduce

.

Logs

.

Configuration

.

Environment

  • OS:
  • Software:
  • Node:
  • npm:

Process Supervisor

not applicable

Additional Context

.

n0rt0nthec4t avatar Feb 01 '22 21:02 n0rt0nthec4t

I have the same problem with the same [email protected] version.

mikanmi avatar Feb 07 '22 02:02 mikanmi

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Mar 09 '22 11:03 github-actions[bot]

its not stale

n0rt0nthec4t avatar Mar 09 '22 20:03 n0rt0nthec4t

@Supereg is anything being done to address this?!?!

n0rt0nthec4t avatar Mar 31 '22 21:03 n0rt0nthec4t

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar May 01 '22 11:05 github-actions[bot]

Any movement on this issue?? Seems stalled project atm?

n0rt0nthec4t avatar Sep 06 '22 22:09 n0rt0nthec4t

Still issues with 0.10.3.

npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                



┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Prototype Pollution in minimist                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hap-nodejs                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ hap-nodejs > @homebridge/dbus-native > optimist > minimist   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-xvch-5gv4-984h            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution in minimist                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hap-nodejs                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ hap-nodejs > @homebridge/dbus-native > optimist > minimist   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-vh95-rmgr-6w4m            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Sensitive Data Exposure in put                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ put                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hap-nodejs                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ hap-nodejs > @homebridge/dbus-native > put                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-v6gv-fg46-h89j            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (1 low, 2 moderate, 1 critical) in 98 scanned packages
  run `npm audit fix` to fix 1 of them.
  3 vulnerabilities require manual review. See the full report for details.

n0rt0nthec4t avatar Sep 17 '22 22:09 n0rt0nthec4t

The reported vulnerabilities didn't actually affect any users.

  • Vulnerabilities in optimist and minimist were in code files never actually executed by hap-nodejs (used for command-line interface of dbus-native)
  • put is only affected when running nodejs versions older than v6 which is not supported by HAP-NodeJS.

Since both packages are abandoned by their maintainers, I stilled addressed those issues, by updating the dbus-native package (that introduced those dependencies). This way we get rid of the vulnerability warnings.

This fixes will be part of the upcoming v0.10.4 release.

bauer-andreas avatar Sep 19 '22 10:09 bauer-andreas

Thanks for addressing the issue in an upcoming release.

n0rt0nthec4t avatar Sep 19 '22 21:09 n0rt0nthec4t