NPM audit shows 8 vulnerabilities (I believe some package requires upgrade)

[chotalia]

Have you read the Contributing Guidelines on issues?

• [X] I have read the Contributing Guidelines on issues.

Description

NPM Audit shows 8 vulnerabilities (3 moderate, 5 high).

This might not be real security issues (however just creates extra hindrance for the internal security approval)

Not that it is important but I can confirm the issue is in both windows and mac.

Steps to reproduce

1. Follow the steps in here and scaffold new project https://www.eventcatalog.dev/docs/installation
2. run npm audit
3. it shows 8 vulnerabilities (3 moderate, 5 high)

npm audit fix does not help in this case.

Expected behavior

NPM audit should not show any high vulnarabilities.

Actual behavior

Your environment

• EventCatalog version used: (2.18 and 2.19)
• Operating system and version (e.g. Ubuntu 20.04.2 LTS): Mac, Windows 10

[boyney123]

Thanks for raising this @chotalia , I know it's not ideal, will try and have a look.

If anyone wants to help support that would be great. If we could find which packages need updating.

[DanielRuf]

If anyone wants to help support that would be great. If we could find which packages need updating.

Run npm audit for details.

Please also see https://overreacted.io/npm-audit-broken-by-design/, not all security issues can be fixed in many cases (because then the application may break).

[DanielRuf]

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @eventcatalog/[email protected], which is a breaking change
node_modules/dagre-d3/node_modules/d3-color
  d3  4.0.0-alpha.1 - 6.7.0
  Depends on vulnerable versions of d3-brush
  Depends on vulnerable versions of d3-color
  Depends on vulnerable versions of d3-interpolate
  Depends on vulnerable versions of d3-scale
  Depends on vulnerable versions of d3-transition
  Depends on vulnerable versions of d3-zoom
  node_modules/dagre-d3/node_modules/d3
    dagre-d3  >=0.5.0
    Depends on vulnerable versions of d3
    node_modules/dagre-d3
      mermaid  8.4.1 - 8.4.2 || 8.4.4 - 9.2.3-rc.1
      Depends on vulnerable versions of dagre-d3
      node_modules/mermaid
        @eventcatalog/core  *
        Depends on vulnerable versions of mermaid
        Depends on vulnerable versions of next-mdx-remote
        node_modules/@eventcatalog/core
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/dagre-d3/node_modules/d3-interpolate
    d3-brush  0.1.0 - 2.1.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-brush
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale-chromatic
    d3-transition  0.0.7 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-transition
    d3-zoom  0.0.2 - 2.0.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-zoom

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install @eventcatalog/[email protected], which is a breaking change
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/@mdx-js/mdx/node_modules/remark-parse
  node_modules/remark-mdx/node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      next-mdx-remote  <=3.0.8
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/next-mdx-remote
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

16 high severity vulnerabilities

[rberger]

I tried to take a stab at updating next-mdx-remote 3.0.8 to latest. This is the module that has some dependencies that have some dependencies that use the very early and high vulnerability trim.

But it looks like there was a major change after 3.0.8 (4.xx) that is incompatible with other dependencies and it won't pass tests.

 FAIL  packages/eventcatalog/lib/__tests__/services.spec.ts
  ● Test suite failed to run

    Jest encountered an unexpected token

    Jest failed to parse a file. This happens e.g. when your code or its dependencies use non-standard JavaScript syntax, or when Jest is not configured to support such syntax.

    Out of the box Jest supports Babel, which will be used to transform your files into valid JS based on your Babel configuration.

    By default "node_modules" folder is ignored by transformers.

    Here's what you can do:
     • If you are trying to use ECMAScript Modules, see https://jestjs.io/docs/ecmascript-modules for how to enable it.
     • If you are trying to use TypeScript, see https://jestjs.io/docs/getting-started#using-typescript
     • To have some of your "node_modules" files transformed, you can specify a custom "transformIgnorePatterns" in your config.
     • If you need a custom transformation specify a "transform" option in your config.
     • If you simply want to mock your non-JS modules (e.g. binary assets) you can stub them out with the "moduleNameMapper" config option.

    You'll find more details and examples of these config options in the docs:
    https://jestjs.io/docs/configuration
    For information about custom transformations, see:
    https://jestjs.io/docs/code-transformation

    Details:

    /Users/rberger/work/informed/eventcatalog/node_modules/next-mdx-remote/serialize.js:6
    import { serialize } from './dist/serialize.js'
    ^^^^^^

    SyntaxError: Cannot use import statement outside a module

      1 | import fs from 'fs';
      2 | import path from 'path';
    > 3 | import { serialize } from 'next-mdx-remote/serialize';
        | ^
      4 | import { Service, Event } from '@eventcatalog/types';
      5 | import { readMarkdownFile, getLastModifiedDateOfFile, getOpenAPISpecFromDir, getAsyncAPISpecFromDir } from '@/lib/file-reader';
      6 | import { MarkdownFile } from '../types/index';

      at Runtime.createScriptFromCode (node_modules/jest-runtime/build/index.js:1496:14)
      at Object.require (packages/eventcatalog/lib/services.ts:3:1)
      at Object.require (packages/eventcatalog/lib/__tests__/services.spec.ts:2:1)

At this point it's beyond my understanding of next.js, react, mdx to know how to fix it. I've taken a few stabs but they just made it worse. I suspect that a lot of things need to be updated to make this work.

But this is considered a pretty high vulnerability and our security folks want to have it fixed or we have remove EventCatalog. Be great if someone could take a look at this.

[rberger]

I created a pull request that fixes the trim vulnerability via a yarn resolution #447