lighthouse-ci icon indicating copy to clipboard operation
lighthouse-ci copied to clipboard
verified publisher icon GoogleChrome

`ini` has security issue.

Open koh110 opened this issue 4 years ago • 2 comments

ini has security issue.

This issues have been detected by vulnerability scanner when I update lighthouse-ci.

I looked in package-lock.json and found 2 modules (rc, global-dirs) that depend on "ini".

    "rc": {
      "version": "1.2.8",
      "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz",
      "integrity": "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==",
      "requires": {
        "deep-extend": "^0.6.0",
        "ini": "~1.3.0",
        "minimist": "^1.2.0",
        "strip-json-comments": "~2.0.1"
      }
    },
-----
        "global-dirs": {
          "version": "0.1.1",
          "resolved": "https://registry.npmjs.org/global-dirs/-/global-dirs-0.1.1.tgz",
          "integrity": "sha1-sxnA3UYH81PzvpzKTHL8FIxJ9EU=",
          "requires": {
            "ini": "^1.3.4"
          }
        },
-----
    "global-dirs": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/global-dirs/-/global-dirs-2.1.0.tgz",
      "integrity": "sha512-MG6kdOUh/xBnyo9cJFeIKkLEc1AyFq42QTU4XiX51i2NEdxLxLWXIjEjmqKeSuKR7pAZjTqUVoT2b2huxVLgYQ==",
      "requires": {
        "ini": "1.3.7"
      }
    },

Ref: https://github.com/GoogleChrome/lighthouse-ci/blob/master/yarn.lock#L17039

Looking at the dependencies, it seems that update-notifier depends on ini.

update-notifier
  |- latest-version
  |     |- package-json
  |          |- registry-auth-token
  |              |- rc
  |                |- ini
  |
  |- is-installed-globally
    |- global-dirs
      |- ini

Unfortunately, even the latest version of update-notifier doesn't seem to have solved the problem. https://github.com/yeoman/update-notifier

[email protected] ([email protected]) depends on [email protected]. But [email protected] ([email protected], [email protected], [email protected]) depends on [email protected]

Should update-notifier be removed? I think it would be best to commit to registry-auth-token, but it seems to take too much time.

koh110 avatar Feb 03 '21 10:02 koh110

Thanks for filing @koh110! We're not concerned enough about this vulnerability (low severity, requires an attacker to already be able to write .ini files to sensitive directories) to justify completely removing update notifications, but we'll happily update our semver range if necessary when the chain of dependencies requires it.

patrickhulce avatar Feb 03 '21 15:02 patrickhulce

Thanks for your response! I agree with your comment.

We're not concerned enough about this vulnerability

If the dependencies are updated I will comment here again or create a PR.

koh110 avatar Feb 04 '21 10:02 koh110