VRMS icon indicating copy to clipboard operation
VRMS copied to clipboard

Published 20 hours ago verified publisher icon hackforla

Address outdated NPM packages and audit warnings in Client

Open jasonwong26 opened this issue 3 years ago • 5 comments

v0.4 Setup Infrastructure

This ticket addresses NPM warnings related to versions and security.

Dependencies

~- #645~

Instructions

  • [ ] Run the npm outdated script. Document all of the warnings that are returned.
  • [ ] Address each warning:
    • for minor package updates - go ahead and update to the latest version
    • form major package updates - research the package version change to identify (as best you can) the breaking changes. Raise the version change as a topic for discussion in a team meeting.
  • [ ] Run the npm audit or yarn outdated script. Document all of the warnings that are returned. Hopefully most issues will be resolved via addressing the outdated packages, but for those that remain Raise these as a topic for discussion in a team meeting.
  • [ ] Apply all major package updates that the team feels are worth pursuing. Address any build errors that occur due to the changes.

Acceptance Criteria

Running the npm outdated and yarn audit commands should pass without error (unless the group decides that it is out of scope to address an issue for a given package).

jasonwong26 avatar Aug 03 '21 02:08 jasonwong26

Audit before:

vrms\client>npm outdated

Package                        Current   Wanted  Latest  Location
@testing-library/jest-dom        4.2.4    4.2.4  5.14.1  vrms-client
@testing-library/react           9.5.0    9.5.0  12.0.0  vrms-client
@testing-library/user-event      7.2.1    7.2.1  13.2.1  vrms-client
d3                              5.16.0   5.16.0   7.0.1  vrms-client
dotenv-cli                       3.2.0    3.2.0   4.0.0  vrms-client
eslint-config-prettier          6.15.0   6.15.0   8.3.0  vrms-client
eslint-plugin-testing-library   3.10.2   3.10.2  4.11.0  vrms-client
http-proxy-middleware            1.3.1    1.3.1   2.0.1  vrms-client
mathjs                           6.6.5    6.6.5   9.4.4  vrms-client
node-sass                       4.14.1   4.14.1   6.0.1  vrms-client
react                          16.14.0  16.14.0  17.0.2  vrms-client
react-dom                      16.14.0  16.14.0  17.0.2  vrms-client
react-scripts                    3.4.3    3.4.3   4.0.3  vrms-client
react-test-renderer            16.14.0  16.14.0  17.0.2  vrms-client
vrms\client>npm audit 
                   === npm audit security report ===

Run npm install [email protected] to resolve 4 vulnerabilities

SEMVER WARNING: Recommended action is a potentially breaking change

High Prototype Pollution

Package object-path

Dependency of react-scripts

Path react-scripts > resolve-url-loader > adjust-sourcemap-loader
> object-path

More info https://npmjs.com/advisories/1573

High Prototype Pollution

Package immer

Dependency of react-scripts

Path react-scripts > react-dev-utils > immer

More info https://npmjs.com/advisories/1603

Moderate Regular Expression Denial of Service

Package postcss

Dependency of react-scripts

Path react-scripts > resolve-url-loader > postcss

More info https://npmjs.com/advisories/1693

Moderate Regular expression denial of service

Package glob-parent

Dependency of react-scripts

Path react-scripts > react-dev-utils > globby > fast-glob >
glob-parent

More info https://npmjs.com/advisories/1751

Run npm install [email protected] to resolve 1 vulnerability

SEMVER WARNING: Recommended action is a potentially breaking change

High Prototype Pollution

Package mathjs

Dependency of mathjs

Path mathjs

More info https://npmjs.com/advisories/1698

Run npm install [email protected] to resolve 3 vulnerabilities

SEMVER WARNING: Recommended action is a potentially breaking change

High Regular Expression Denial of Service

Package trim-newlines

Dependency of node-sass

Path node-sass > meow > trim-newlines

More info https://npmjs.com/advisories/1753

High Arbitrary File Creation/Overwrite due to insufficient
absolute path sanitization

Package tar

Dependency of node-sass

Path node-sass > node-gyp > tar

More info https://npmjs.com/advisories/1770

High Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning

Package tar

Dependency of node-sass

Path node-sass > node-gyp > tar

More info https://npmjs.com/advisories/1771

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance

Moderate Regular Expression Denial of Service

Package browserslist

Patched in >=4.16.5

Dependency of react-scripts

Path react-scripts > react-dev-utils > browserslist

More info https://npmjs.com/advisories/1747

Moderate Regular expression denial of service

Package glob-parent

Patched in >=5.1.2

Dependency of react-scripts

Path react-scripts > webpack > watchpack > watchpack-chokidar2 > chokidar > glob-parent

More info https://npmjs.com/advisories/1751

Moderate Regular expression denial of service

Package glob-parent

Patched in >=5.1.2

Dependency of react-scripts

Path react-scripts > webpack-dev-server > chokidar > glob-parent

More info https://npmjs.com/advisories/1751

found 11 vulnerabilities (5 moderate, 6 high) in 2165 scanned packages 8 vulnerabilities require semver-major dependency updates. 3 vulnerabilities require manual review. See the full report for details.

vadzimk avatar Aug 17 '21 18:08 vadzimk

@jasonwong26

Audit after

vrms\client>npm outdated

Package                 Current  Wanted  Latest  Location
@testing-library/react    9.5.0   9.5.0  12.0.0  vrms-client
react-scripts             3.4.3   3.4.3   4.0.3  vrms-client
vrms\client>npm audit 
                   === npm audit security report ===

Run npm install [email protected] to resolve 4 vulnerabilities

SEMVER WARNING: Recommended action is a potentially breaking change

High Prototype Pollution

Package object-path

Dependency of react-scripts

Path react-scripts > resolve-url-loader > adjust-sourcemap-loader
> object-path

More info https://npmjs.com/advisories/1573

High Prototype Pollution

Package immer

Dependency of react-scripts

Path react-scripts > react-dev-utils > immer

More info https://npmjs.com/advisories/1603

Moderate Regular Expression Denial of Service

Package postcss

Dependency of react-scripts

Path react-scripts > resolve-url-loader > postcss

More info https://npmjs.com/advisories/1693

Moderate Regular expression denial of service

Package glob-parent

Dependency of react-scripts

Path react-scripts > react-dev-utils > globby > fast-glob >
glob-parent

More info https://npmjs.com/advisories/1751

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance

Moderate Regular Expression Denial of Service

Package browserslist

Patched in >=4.16.5

Dependency of react-scripts

Path react-scripts > react-dev-utils > browserslist

More info https://npmjs.com/advisories/1747

Moderate Regular expression denial of service

Package glob-parent

Patched in >=5.1.2

Dependency of react-scripts

Path react-scripts > webpack > watchpack > watchpack-chokidar2 >
chokidar > glob-parent

More info https://npmjs.com/advisories/1751

Moderate Regular expression denial of service

Package glob-parent

Patched in >=5.1.2

Dependency of react-scripts

Path react-scripts > webpack-dev-server > chokidar > glob-parent

More info https://npmjs.com/advisories/1751

found 7 vulnerabilities (5 moderate, 2 high) in 2229 scanned packages

4 vulnerabilities require semver-major dependency updates.
3 vulnerabilities require manual review. See the full report for details.

These remaining NPM audit "vulnerabilities" are related to the packages that react-scripts depends on. But

  • Migrating to react-scripts v4 breaks the tests
  • Upgrading the @testing-library breaks the tests (deprecated methods are used)

Migrating to react-scripts v4 requirements:

https://github.com/facebook/create-react-app/blob/main/CHANGELOG.md#migrating-from-34x-to-400

These react-scripts v3 "vulnerabilities" are considered to be false positives, as you can read here:

https://overreacted.io/npm-audit-broken-by-design/

vadzimk avatar Aug 19 '21 00:08 vadzimk

Package Changes:

Updated minor and patch versions

None

Major Version changes (requires discussion)

Package Current Wanted Latest Package Type Package URL
http-proxy-middleware 1.3.1 1.3.1 2.0.1 dependencies https://github.com/chimurai/http-proxy-middleware#readme
react 16.14.0 16.14.0 17.0.2 dependencies https://reactjs.org/
react-dom 16.14.0 16.14.0 17.0.2 dependencies https://reactjs.org/
react-scripts 3.4.3 3.4.3 4.0.3 dependencies https://github.com/facebook/create-react-app#readme
@testing-library/jest-dom 4.2.4 4.2.4 5.14.1 devDependencies https://github.com/testing-library/jest-dom#readme
@testing-library/react 9.5.0 9.5.0 12.0.0 devDependencies https://github.com/testing-library/react-testing-library#readme

Removed Unused Packages

  • @babel/plugin-transform-react-jsx-self
  • classnames
  • cross-env
  • cross-var
  • d3
  • dotenv-cli
  • local-storage
  • mathjs
  • minimist
  • moment
  • moment-recur
  • @testing-library/user-event
  • eslint-config-airbnb
  • eslint-config-airbnb-base
  • eslint-config-prettier
  • eslint-plugin-import
  • eslint-plugin-jest-dom
  • eslint-plugin-jsx-a11y
  • eslint-plugin-prettier
  • eslint-plugin-react
  • eslint-plugin-react-hooks
  • eslint-plugin-testing-library
  • prettier
  • react-test-renderer

Package Audit

7 audit warnings remain (2 high, 5 moderate) all related to the react-scripts dependency.

Suggested next steps:

  1. Create separate tickets for each above package with a major version change. (some will require code rewrites)
  2. Address each of the created tickets.
  3. Rerun the yarn audit script to confirm that all warnings are addressed.

jasonwong26 avatar Sep 06 '21 06:09 jasonwong26

Hi @ExperimentsInHonesty,

Assigning to you to create individual tickets for addressing the following outdated packages that require major version changes. For each, we want a developer to update to the latest version of the package, then:

  1. Ensure the project builds and runs
  2. Ensure that all unit tests pass
  3. Ensure that there are no lint errors
Package Current Wanted Latest Package Type Package URL Issue
http-proxy-middleware 1.3.1 1.3.1 2.0.1 dependencies https://github.com/chimurai/http-proxy-middleware#readme #753
react 16.14.0 16.14.0 17.0.2 dependencies https://reactjs.org/ #754
react-dom 16.14.0 16.14.0 17.0.2 dependencies https://reactjs.org/ #755
react-scripts 3.4.3 3.4.3 4.0.3 dependencies https://github.com/facebook/create-react-app#readme #756
@testing-library/jest-dom 4.2.4 4.2.4 5.14.1 devDependencies https://github.com/testing-library/jest-dom#readme #757
@testing-library/react 9.5.0 9.5.0 12.0.0 devDependencies https://github.com/testing-library/react-testing-library#readme #758

jasonwong26 avatar Sep 14 '21 02:09 jasonwong26

@jasonwong26 I have created the client issues for updating the npm packages

ExperimentsInHonesty avatar Sep 14 '21 04:09 ExperimentsInHonesty