rivescript-js icon indicating copy to clipboard operation
rivescript-js copied to clipboard

Published 20 hours ago verified publisher icon aichaos

Help wanted: Update dependencies per `npm audit`

Open kirsle opened this issue 2 years ago • 3 comments

GitHub regularly warns me that several dependencies in rivescript-js's tree have vulnerabilities. I have tried on a number of occasions to upgrade all the dependencies, and only end up getting myself into dependency hell.

RiveScript.js is intended to be extremely light on dependencies, with its package.json naming only three:

  • babel-loader ^7.1.5
  • babel-polyfill ^6.26.0
  • fs-readdir-recursive ^1.0.0

The babel dependencies are really only so the shell.js and unit tests and things like that work as-is in the git repo. The fs-readdir-recursive dependency could be removed by just manually writing a recursive directory scan function using the Node standard fs library in place of this line of code. For some reason, trying to upgrade all of these leads to chaos and vulnerabilities remain in their dependency trees in a way I have not been able to resolve.

Help needed if you want to take a stab at it!

For full disclosure, the npm audit report at time of writing is as follows:

# npm audit report

braces  <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
No fix available
node_modules/braces
  micromatch  0.2.0 - 2.3.11
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of parse-glob
  node_modules/micromatch
    anymatch  1.2.0 - 1.3.2
    Depends on vulnerable versions of micromatch
    node_modules/anymatch
      chokidar  1.0.0-rc1 - 2.1.8
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of glob-parent
      node_modules/chokidar
      node_modules/watchpack/node_modules/chokidar
        babel-cli  *
        Depends on vulnerable versions of chokidar
        node_modules/babel-cli
        watchpack  0.2.2 - 1.6.1
        Depends on vulnerable versions of chokidar
        node_modules/watchpack

diff  <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/diff
  tap-mocha-reporter  0.0.4 - 5.0.0
  Depends on vulnerable versions of diff
  node_modules/tap-mocha-reporter
    tap  7.0.0 - 14.6.7 || 14.10.2-totally-bundled - 14.10.2-unbundled
    Depends on vulnerable versions of tap-mocha-reporter
    node_modules/tap
      nodeunit  >=0.9.3
      Depends on vulnerable versions of tap
      node_modules/nodeunit

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
No fix available
node_modules/glob-parent
node_modules/watchpack/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of anymatch
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
  node_modules/watchpack/node_modules/chokidar
    babel-cli  *
    Depends on vulnerable versions of chokidar
    node_modules/babel-cli
    watchpack  0.2.2 - 1.6.1
    Depends on vulnerable versions of chokidar
    node_modules/watchpack
  glob-base  *
  Depends on vulnerable versions of glob-parent
  node_modules/glob-base
    parse-glob  >=2.1.0
    Depends on vulnerable versions of glob-base
    node_modules/parse-glob
      micromatch  0.2.0 - 2.3.11
      Depends on vulnerable versions of braces
      Depends on vulnerable versions of parse-glob
      node_modules/micromatch
        anymatch  1.2.0 - 1.3.2
        Depends on vulnerable versions of micromatch
        node_modules/anymatch

kind-of  6.0.0 - 6.0.2
Validation Bypass - https://npmjs.com/advisories/1490
fix available via `npm audit fix`
node_modules/base/node_modules/kind-of
node_modules/define-property/node_modules/kind-of
node_modules/findup-sync/node_modules/kind-of
node_modules/nanomatch/node_modules/kind-of
node_modules/randomatic/node_modules/kind-of
node_modules/snapdragon-node/node_modules/kind-of
node_modules/watchpack/node_modules/kind-of
node_modules/webpack/node_modules/kind-of

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix`
node_modules/fsevents/node_modules/minimist
node_modules/fsevents/node_modules/rc/node_modules/minimist
node_modules/minimist
node_modules/mkdirp/node_modules/minimist
node_modules/watchpack/node_modules/fsevents/node_modules/minimist
node_modules/watchpack/node_modules/fsevents/node_modules/rc/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/fsevents/node_modules/mkdirp
  node_modules/mkdirp
  node_modules/watchpack/node_modules/fsevents/node_modules/mkdirp

serialize-javascript  <3.1.0
Severity: high
Remote Code Execution - https://npmjs.com/advisories/1548
fix available via `npm audit fix`
node_modules/serialize-javascript
  terser-webpack-plugin  <=1.4.3 || 2.0.0 - 2.3.5
  Depends on vulnerable versions of serialize-javascript
  node_modules/terser-webpack-plugin

tar  <=4.4.17 || 5.0.0 - 5.0.9 || 6.0.0 - 6.1.8
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://npmjs.com/advisories/1770
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://npmjs.com/advisories/1771
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://npmjs.com/advisories/1779
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://npmjs.com/advisories/1780
fix available via `npm audit fix`
node_modules/fsevents/node_modules/tar
node_modules/watchpack/node_modules/fsevents/node_modules/tar

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix`
node_modules/nyc/node_modules/yargs-parser
node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    webpack-cli  <=0.0.8-development || 1.3.0 - 3.3.4
    Depends on vulnerable versions of yargs
    node_modules/webpack-cli

22 vulnerabilities (8 low, 7 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

kirsle avatar Oct 02 '21 04:10 kirsle

Sorry I can't help on this. fs related packages are a nightmare. I had to import file by file. I'm discovering Rivescript (yep, after the party's over, but I see so much potential in it, despite playing with nlp for years) so I can't tell for others.

j2l avatar Dec 02 '21 11:12 j2l

OK, I gave it a try (to see if the fix I proposed about the "add" (and other) functions was working).

Even [email protected] install is problematic nowadays:

found 24 vulnerabilities (1 low, 9 moderate, 14 high)
fixed 0 of 24 vulnerabilities in 895 scanned packages
  15 vulnerabilities required manual review and could not be updated
  1 package update for 9 vulnerabilities involved breaking changes

Do you think using another packaging like rollup or snowpack could work?

j2l avatar Dec 09 '21 13:12 j2l

i think the issues lies in the node modules not so much the package manager?

a lot of them have open issues ranging from low to high when visiting their github pages but i may be misunderstanding the question.

i haven't contributed much i mainly used rivescript for a private chatbot for the last 2 years fixed issues on my own but the ones i fixed seem to not be issues now in the main js git.

telnetd4f avatar Dec 24 '21 16:12 telnetd4f