WordPress
[ php-wasm ] : `express` adds 8 vulnerabilities [ 1 low, 4 moderate, 3 high ]
I found out, by installing php-wasm/node and php-wasm/universal with version 0.9.46, that express will produce 8 vulnerabilities :
# npm audit report
body-parser <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix --force`
Will install @php-wasm/[email protected], which is a breaking change
node_modules/body-parser
express *
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of cookie
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/express
@php-wasm/node 0.1.18 - 0.6.14 || >=0.7.5
Depends on vulnerable versions of @wp-playground/wordpress
Depends on vulnerable versions of express
node_modules/@php-wasm/node
@wp-playground/wordpress >=0.9.17
Depends on vulnerable versions of @php-wasm/node
Depends on vulnerable versions of express
node_modules/@wp-playground/wordpress
cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @php-wasm/[email protected], which is a breaking change
node_modules/cookie
path-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install @php-wasm/[email protected], which is a breaking change
node_modules/path-to-regexp
send <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install @php-wasm/[email protected], which is a breaking change
node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static
8 vulnerabilities (1 low, 4 moderate, 3 high)
Everything seems to be related to express version. Currently, express has version "4.19.2". It could have version "4.21.0". But I couldn't try it out to check if everything still works properly.
Express is only used in the local development setup so it's not that bad. It would be still nice to patch it, though.
I know this will represent a lot of work. But it would be fantastic to update every dependencies correctly to have a clean npm install output :
npm warn ERESOLVE overriding peer dependency
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs
npm warn deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm warn deprecated [email protected]: This package is no longer supported. Please use @npmcli/package-json instead.
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.
npm warn deprecated [email protected]: This package is no longer supported. Please use @npmcli/package-json instead.
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: Use String.prototype.trim() instead
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-object-rest-spread instead.
npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/config-array instead
npm warn deprecated [email protected]: Use your platform's native atob() and btoa() methods instead
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: This is probably built in to whatever tool you're using. If you still need it... idk
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/object-schema instead
npm warn deprecated @vitest/[email protected]: v8 coverage is moved to @vitest/coverage-v8 package
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: This package is now deprecated. Move to @xterm/addon-fit instead.
npm warn deprecated [email protected]: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm warn deprecated [email protected]: Use your platform's native DOMException instead
npm warn deprecated [email protected]: Please use @jridgewell/sourcemap-codec instead
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: This package is no longer supported.
npm warn deprecated [email protected]: please use @rollup/plugin-typescript and rollup-plugin-dts instead
npm warn deprecated [email protected]: This package is now deprecated. Move to @xterm/xterm instead.
npm warn deprecated [email protected]: This version is no longer supported. Please see https://eslint.org/version-support for other options.
npm warn deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
> [email protected] prepare
> husky install
husky - Git hooks installed
added 4024 packages, and audited 4051 packages in 2m
543 packages are looking for funding
run `npm fund` for details
42 vulnerabilities (20 moderate, 22 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
I started to do this by removing @types/ajv dev-dependency because :
npm warn deprecated @types/[email protected]: This is a stub types definition for ajv (https://github.com/epoberezkin/ajv). ajv provides its own type definitions, so you don't need @types/ajv installed!
But when I went on, it became a lot more complicated. Indeed.
I surely appreciate WordPress in moments like this for its BC commitment. Keeping up with all the JavaScript dependencies is just too difficult. Luckily, most of these packages are only used in the dev environment. Imagine if Playground was running a production express.js server 😱
I certainly went too far this time : I wanted to determine if an update was possible here. I tried a lot of adjustments to make this work. But unfortunately some packages won't update deprecations or vulnerabiliities yet. Especially : docusaurus.
I updated the packages and managed to reduce the number of vulnerabilities from 42 to 19 and the warnings from 57 to 22, but it's still not enough.
Here is the list of warnings from above and which package is responsible of it :
inflight : jest & nx/jest
stable : nx/rollup
@humanwhocodes : eslint
abab : jest
rimraf : docusaurus & eslint
acorn-dynamic-import : docusaurus
glob : jest & nx/jest & nx/rollup & nx/webpack & docusaurus & gh-pages
domexception : jest-environment-jsdom
sourcemap-codec : docusaurus
eslint : eslint
Concerning the majority of vulnerabilities, this is due to path-to-regexp and this one is used in probably every packages from docusaurus. Totalizing 19 high severity vulnerabilities here. [ I know this isn't that important, but I don't like to see red and yellow words on my terminal ]
Anyways, I had some questions :
- Is Jest still needed ? I think Vite is used for tests
- Is vitepress still needed ? I think Docusaurus is used today
- Is Webpack still needed ? I think Vite is used for compilation
- Is ESBuild still needed ?
- Eslint could be upgraded to V9's flat config ?
- Do you think there are other unused packages that can be removed from these lists ?
- Is this useful to clean and update what can be cleaned or updated ?
Especially : docusaurus.
Yes 😥
I tried updating all high-severity variabilities in the past and couldn't get it to work because of Docusaurus.
Thank you so much for all you hard work here @mho22!
I think we can get rid of jest and vitepress. Webpack probably, too. We do use ESBuild to build @php-wasm/node – if you know how to make it work with Vite, I'd love to do that instead.
Eslint could be upgraded to V9's flat config ?
I don't see any reason not to.
Do you think there are other unused packages that can be removed from these lists ?
Cypress, once we port the remaining e2e tests to playwright. Also, I'm not sure if we need swc.
Is this useful to clean and update what can be cleaned or updated ?
I'm not sure, actually. It's surely nicer to have a smaller project with less stale dependencies, but I can't point to any tangible benefit a long and difficult cleanup would buy today.
@adamziel I have a local branch with all the updates I made in the comment above. Bringing the updates you suggested in your comment on that branch and testing to remove specific packages gave me that clean message 🥳 :
The packages I intentionnally removed were :
"@docusaurus/core": "^3.5.2",
"@docusaurus/plugin-client-redirects": "^3.5.2",
"@docusaurus/plugin-ideal-image": "^3.5.2",
"@docusaurus/preset-classic": "^3.5.2",
"@docusaurus/theme-live-codeblock": "^3.5.2",
"docusaurus-plugin-typedoc-api": "^4.4.0",
...
"@nx/node": "^20.0.1",
"@nx/rollup: "^20.0.1",
"@nx/plugin": "^20.0.1",
These packages, individually added, produced the following warnings :
Each docusaurus packages :
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
@nx/node :
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
@nx/rollup :
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
@nx/plugin :
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
This is the result when I install the missing dependencies :
Almost clean. Can't do better. But now :
-
eslintrc.jsonfiles must be migrated intoeslint.config.jsfiles - Tests must pass [ currently : ]
I haven't removed esbuild [ and cypress obviously ] yet. But if I do :
-
build.jsfile should be removed fromphp-wasm/nodeand builds should be integrated inphp-wasm/node/vite.config.json
I agree with you about the utility of the cleanup. But when I started doing this, I found out some tests were failing with updated dependencies. For example :
packages/php-wasm/stream-compression/src/test/append-bytes.spec.ts
expect(result1.value).toEqual(new Uint8Array([1, 2, 3]));
Indicated that result1.value was not equal to new Uint8Array([1, 2, 3]). But Array.from(new Uint8Array([1, 2, 3])) was.
So I suppose this might be useful. And by 'might,' I mean probably not, but, why not give it a chance while I can.
If I can make it work, should I share the pull request for analysis ?