web-ext icon indicating copy to clipboard operation
web-ext copied to clipboard

Published 20 hours ago verified publisher icon mozilla

security issues in v7 dependencies

Open willdurand opened this issue 2 years ago • 13 comments 

> [email protected] audit-deps /home/circleci/web-ext
> node ./scripts/audit-deps

== audit-deps: blocking security issues

request (https://github.com/advisories/GHSA-p8p7-x288-28g6):
  2.88.2, paths: sign-addon>request

willdurand avatar Mar 20 '23 10:03 willdurand

Shame that https://github.com/mozilla/web-ext/pull/2688 wasn't included in the last hotfix

@willdurand any ETA for when will a new version be released?

Araxeus avatar Apr 20 '23 15:04 Araxeus

@Araxeus That wouldn't help anyhow. sign-addon 6.0.0 still depends on request 2.88.2

hymccord avatar Apr 26 '23 16:04 hymccord

See also: https://github.com/mozilla/web-ext/pull/2822#issuecomment-1640054212

willdurand avatar Jul 18 '23 12:07 willdurand

It's not just request which is the issue here; sign-addon is no longer maintained.

aspiers avatar May 05 '24 17:05 aspiers

Yeah, sign-addon is no longer maintained because we're about to release web-ext v8.

willdurand avatar May 06 '24 07:05 willdurand

There is a new one:

jose (https://github.com/advisories/GHSA-hhhv-q57g-882q):
  4.13.1, paths: jose

willdurand avatar May 27 '24 19:05 willdurand

Is https://github.com/mozilla/web-ext/issues/3106 a duplicate of this?

Rob--W avatar May 27 '24 19:05 Rob--W

Is #3106 a duplicate of this?

I think so, yeah

willdurand avatar May 27 '24 19:05 willdurand

There is still a warning in v8.0.0, this time asking to downgrade to 5.3.0:

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/express
  addons-scanner-utils  *
  Depends on vulnerable versions of express
  node_modules/addons-linter/node_modules/addons-scanner-utils
    addons-linter  >=2.11.0
    Depends on vulnerable versions of addons-scanner-utils
    node_modules/addons-linter
      web-ext  >=5.4.0
      Depends on vulnerable versions of addons-linter
      node_modules/web-ext

GabenGar avatar Jun 07 '24 15:06 GabenGar

I am not clear on how you are getting this, could you please paste the full command?

willdurand avatar Jun 10 '24 07:06 willdurand

You can trigger this audit message if you install web-ext and express in the same project:

mkdir test
cd test
npm init --yes
npm install --save-dev web-ext
npm audit
npm install [email protected]
npm audit

Then clean up folder and install them in different order, thus proving express is not a sole source of the warning:

npm uninstall express web-ext
rm --recurse node_modules package-lock.json
npm install [email protected]
npm audit
npm install --save-dev web-ext
npm audit

Resorting to drastic measure of nuking node_modules and package-lock.json because I found the warning persists without doing it. The source of the problem probably goes deeper than addons-linter, because the warning exists even with 8.1.0.

GabenGar avatar Jun 17 '24 11:06 GabenGar

Is there a reason why web-ext uses strict dependencies? For example, ws has a vulnerability in 8.17.0, but we can't automatically update to the minor version 8.17.1 that fixes it, because web-ext is specifying the strict dependency.

(if it is better to raise this in a new issue, I'm happy to do so).

Standard8 avatar Jun 19 '24 07:06 Standard8

sign-addon and request are no longer part of web-ext.

This issue can be closed.

fregante avatar Aug 04 '24 18:08 fregante