eventcatalog
eventcatalog copied to clipboard
boyney123
NPM audit shows 8 vulnerabilities (I believe some package requires upgrade)
Have you read the Contributing Guidelines on issues?
- [X] I have read the Contributing Guidelines on issues.
Description
NPM Audit shows 8 vulnerabilities (3 moderate, 5 high).
This might not be real security issues (however just creates extra hindrance for the internal security approval)
Not that it is important but I can confirm the issue is in both windows and mac.
Steps to reproduce
- Follow the steps in here and scaffold new project https://www.eventcatalog.dev/docs/installation
- run
npm audit - it shows 8 vulnerabilities (3 moderate, 5 high)
npm audit fix does not help in this case.
Expected behavior
NPM audit should not show any high vulnarabilities.
Actual behavior
Your environment
- EventCatalog version used: (2.18 and 2.19)
- Operating system and version (e.g. Ubuntu 20.04.2 LTS): Mac, Windows 10
Thanks for raising this @chotalia , I know it's not ideal, will try and have a look.
If anyone wants to help support that would be great. If we could find which packages need updating.
If anyone wants to help support that would be great. If we could find which packages need updating.
Run npm audit for details.
Please also see https://overreacted.io/npm-audit-broken-by-design/, not all security issues can be fixed in many cases (because then the application may break).
d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @eventcatalog/[email protected], which is a breaking change
node_modules/dagre-d3/node_modules/d3-color
d3 4.0.0-alpha.1 - 6.7.0
Depends on vulnerable versions of d3-brush
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-scale
Depends on vulnerable versions of d3-transition
Depends on vulnerable versions of d3-zoom
node_modules/dagre-d3/node_modules/d3
dagre-d3 >=0.5.0
Depends on vulnerable versions of d3
node_modules/dagre-d3
mermaid 8.4.1 - 8.4.2 || 8.4.4 - 9.2.3-rc.1
Depends on vulnerable versions of dagre-d3
node_modules/mermaid
@eventcatalog/core *
Depends on vulnerable versions of mermaid
Depends on vulnerable versions of next-mdx-remote
node_modules/@eventcatalog/core
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/dagre-d3/node_modules/d3-interpolate
d3-brush 0.1.0 - 2.1.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/dagre-d3/node_modules/d3-brush
d3-scale 0.1.5 - 3.3.0
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-scale
d3-scale-chromatic 0.1.0 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-scale-chromatic
d3-transition 0.0.7 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-transition
d3-zoom 0.0.2 - 2.0.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/dagre-d3/node_modules/d3-zoom
trim <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install @eventcatalog/[email protected], which is a breaking change
node_modules/trim
remark-parse <=8.0.3
Depends on vulnerable versions of trim
node_modules/@mdx-js/mdx/node_modules/remark-parse
node_modules/remark-mdx/node_modules/remark-parse
@mdx-js/mdx <=1.6.22
Depends on vulnerable versions of remark-mdx
Depends on vulnerable versions of remark-parse
node_modules/@mdx-js/mdx
next-mdx-remote <=3.0.8
Depends on vulnerable versions of @mdx-js/mdx
node_modules/next-mdx-remote
remark-mdx <=1.6.22
Depends on vulnerable versions of remark-parse
node_modules/remark-mdx
16 high severity vulnerabilities
I tried to take a stab at updating next-mdx-remote 3.0.8 to latest. This is the module that has some dependencies that have some dependencies that use the very early and high vulnerability trim.
But it looks like there was a major change after 3.0.8 (4.xx) that is incompatible with other dependencies and it won't pass tests.
FAIL packages/eventcatalog/lib/__tests__/services.spec.ts
● Test suite failed to run
Jest encountered an unexpected token
Jest failed to parse a file. This happens e.g. when your code or its dependencies use non-standard JavaScript syntax, or when Jest is not configured to support such syntax.
Out of the box Jest supports Babel, which will be used to transform your files into valid JS based on your Babel configuration.
By default "node_modules" folder is ignored by transformers.
Here's what you can do:
• If you are trying to use ECMAScript Modules, see https://jestjs.io/docs/ecmascript-modules for how to enable it.
• If you are trying to use TypeScript, see https://jestjs.io/docs/getting-started#using-typescript
• To have some of your "node_modules" files transformed, you can specify a custom "transformIgnorePatterns" in your config.
• If you need a custom transformation specify a "transform" option in your config.
• If you simply want to mock your non-JS modules (e.g. binary assets) you can stub them out with the "moduleNameMapper" config option.
You'll find more details and examples of these config options in the docs:
https://jestjs.io/docs/configuration
For information about custom transformations, see:
https://jestjs.io/docs/code-transformation
Details:
/Users/rberger/work/informed/eventcatalog/node_modules/next-mdx-remote/serialize.js:6
import { serialize } from './dist/serialize.js'
^^^^^^
SyntaxError: Cannot use import statement outside a module
1 | import fs from 'fs';
2 | import path from 'path';
> 3 | import { serialize } from 'next-mdx-remote/serialize';
| ^
4 | import { Service, Event } from '@eventcatalog/types';
5 | import { readMarkdownFile, getLastModifiedDateOfFile, getOpenAPISpecFromDir, getAsyncAPISpecFromDir } from '@/lib/file-reader';
6 | import { MarkdownFile } from '../types/index';
at Runtime.createScriptFromCode (node_modules/jest-runtime/build/index.js:1496:14)
at Object.require (packages/eventcatalog/lib/services.ts:3:1)
at Object.require (packages/eventcatalog/lib/__tests__/services.spec.ts:2:1)
At this point it's beyond my understanding of next.js, react, mdx to know how to fix it. I've taken a few stabs but they just made it worse. I suspect that a lot of things need to be updated to make this work.
But this is considered a pretty high vulnerability and our security folks want to have it fixed or we have remove EventCatalog. Be great if someone could take a look at this.
I created a pull request that fixes the trim vulnerability via a yarn resolution #447