gfn-electron
gfn-electron copied to clipboard
Published
20 hours ago •
hmlendea
hmlendea
[BUG] Security in Packages
Describe the bug
heres the console output of npm audit
# npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
@electron/get *
Depends on vulnerable versions of got
node_modules/@electron/get
electron >=7.0.0-beta.1
Depends on vulnerable versions of @electron/get
node_modules/electron
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
electron-builder >=5.6.1
Depends on vulnerable versions of update-notifier
node_modules/electron-builder
jpeg-js <0.4.4
Severity: high
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jpeg-js
@jimp/jpeg <=0.12.0 || >=0.16.1
Depends on vulnerable versions of jpeg-js
node_modules/@jimp/jpeg
@jimp/types <=0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/jpeg
node_modules/@jimp/types
jimp 0.3.6-alpha.5 - 0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/types
node_modules/jimp
png-to-ico >=2.0.1
Depends on vulnerable versions of jimp
node_modules/png-to-ico
12 vulnerabilities (7 moderate, 5 high)
To address all issues (including breaking changes), run:
npm audit fix --force
when doing npm audit fix it ran but it had security issues still
then when I did npm audit fix --force even more security issues
To Reproduce
- Download source code from main branch
- Run
npm install - Run
npm audit
Screenshots
No response
Operating System
Manjaro Linux
Desktop Environment
KDE
Display Server
Wayland
Installation method
Source
Version
1.7.0
Is this a fresh install of the app or an update from a past version?
Fresh Install
Did this issue appear right away upon installation/updating, or spontaneously?
Appeared when I checked
Additional context
No response
output of npm audit fix
removed 3 packages, changed 2 packages, and audited 377 packages in 14s
30 packages are looking for funding
run `npm fund` for details
# npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
@electron/get *
Depends on vulnerable versions of got
node_modules/@electron/get
electron >=7.0.0-beta.1
Depends on vulnerable versions of @electron/get
node_modules/electron
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
electron-builder >=5.6.1
Depends on vulnerable versions of update-notifier
node_modules/electron-builder
jpeg-js <0.4.4
Severity: high
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jpeg-js
@jimp/jpeg <=0.12.0 || >=0.16.1
Depends on vulnerable versions of jpeg-js
node_modules/@jimp/jpeg
@jimp/types <=0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/jpeg
node_modules/@jimp/types
jimp 0.3.6-alpha.5 - 0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/types
node_modules/jimp
png-to-ico >=2.0.1
Depends on vulnerable versions of jimp
node_modules/png-to-ico
node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/node-fetch
13 vulnerabilities (7 moderate, 6 high)
To address all issues (including breaking changes), run:
npm audit fix --force
output of npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating node-fetch to 2.6.7,which is outside your stated dependency range.
npm WARN audit Updating electron to 6.1.12,which is a SemVer major change.
npm WARN audit Updating png-to-ico to 2.0.0,which is a SemVer major change.
npm WARN audit Updating electron-builder to 5.5.0,which is a SemVer major change.
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0
npm WARN deprecated [email protected]: cross-spawn no longer requires a build toolchain, use it instead
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
added 208 packages, removed 225 packages, changed 53 packages, and audited 355 packages in 16s
10 packages are looking for funding
run `npm fund` for details
# npm audit report
electron <=15.5.4
Severity: high
Context isolation bypass via leaked cross-context objects in Electron - https://github.com/advisories/GHSA-m93v-9qjc-3g79
Context isolation bypass via contextBridge in Electron - https://github.com/advisories/GHSA-h9jc-284h-533g
Arbitrary file read via window-open IPC in Electron - https://github.com/advisories/GHSA-f9mq-jph6-9mhm
Sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API - https://github.com/advisories/GHSA-mpjm-v997-c4h4
IPC messages delivered to the wrong frame in Electron - https://github.com/advisories/GHSA-hvf8-h2qh-37m9
Renderers can obtain access to random bluetooth device without permission in Electron - https://github.com/advisories/GHSA-3p22-ghq8-v749
AutoUpdater module fails to validate certain nested components of the bundle - https://github.com/advisories/GHSA-77xc-hjv8-ww97
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled - https://github.com/advisories/GHSA-mq8j-3h7h-p8g7
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/electron
jpeg-js <=0.4.3
Severity: high
Uncontrolled resource consumption in jpeg-js - https://github.com/advisories/GHSA-w7q9-p3jq-fmhm
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/jpeg-js
jimp <=0.3.5
Depends on vulnerable versions of jpeg-js
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of url-regex
node_modules/jimp
png-to-ico <=2.0.0
Depends on vulnerable versions of jimp
node_modules/png-to-ico
lodash <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/xmlbuilder/node_modules/lodash
xmlbuilder 2.5.0 - 4.2.0
Depends on vulnerable versions of lodash
node_modules/xmlbuilder
plist <=3.0.4
Depends on vulnerable versions of xmlbuilder
Depends on vulnerable versions of xmldom
node_modules/plist
electron-osx-sign-tf >=0.6.0
Depends on vulnerable versions of plist
node_modules/electron-osx-sign-tf
electron-builder 2.8.0 - 3.1.1 || 3.5.0 - 3.6.1 || 3.11.0 - 15.0.0
Depends on vulnerable versions of electron-osx-sign-tf
Depends on vulnerable versions of electron-packager-tf
Depends on vulnerable versions of electron-winstaller-fixed
Depends on vulnerable versions of signcode-tf
Depends on vulnerable versions of yargs
node_modules/electron-builder
electron-packager-tf *
Depends on vulnerable versions of plist
node_modules/electron-packager-tf
minimist <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/jimp/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/jimp/node_modules/mkdirp
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
url-regex *
Severity: high
Regular expression denial of service in url-regex - https://github.com/advisories/GHSA-v4rh-8p82-6h5w
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/url-regex
xmldom *
Severity: moderate
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/xmldom
yargs-parser <=5.0.0
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
Depends on vulnerable versions of yargs-parser
node_modules/yargs
signcode-tf *
Depends on vulnerable versions of yargs
node_modules/signcode-tf
electron-winstaller-fixed <=3.0.0
Depends on vulnerable versions of signcode-tf
node_modules/electron-winstaller-fixed
20 vulnerabilities (7 moderate, 7 high, 6 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
also tried updating everything to the latest version and heres the output of npm audit
# npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
@electron/get *
Depends on vulnerable versions of got
node_modules/@electron/get
electron >=7.0.0-beta.1
Depends on vulnerable versions of @electron/get
node_modules/electron
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
electron-builder >=5.6.1
Depends on vulnerable versions of update-notifier
node_modules/electron-builder
jpeg-js <0.4.4
Severity: high
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jpeg-js
@jimp/jpeg <=0.12.0 || >=0.16.1
Depends on vulnerable versions of jpeg-js
node_modules/@jimp/jpeg
@jimp/types <=0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/jpeg
node_modules/@jimp/types
jimp 0.3.6-alpha.5 - 0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/types
node_modules/jimp
png-to-ico >=2.0.1
Depends on vulnerable versions of jimp
node_modules/png-to-ico
12 vulnerabilities (7 moderate, 5 high)
To address all issues (including breaking changes), run:
npm audit fix --force
I was able to get the number of issues down to 7 but it seems like we might need to wait for some upstream fixes to solve the rest.
I will try giving it another shot soon though. But in the meantime I'm going to push a new version with the fixes that I've made so far, because there's too many of them active in the current version.
