stream-http icon indicating copy to clipboard operation
stream-http copied to clipboard

Published 20 hours ago verified publisher icon jhiesey

Monitoring ua-parser-js package dependency

Open ryank425 opened this issue 4 years ago • 5 comments

This package has ua-parser-js package as one of devDependencies, and this package is in package.json

"devDependencies": {
 ...
   "ua-parser-js": "^0.7.28",
   ...
 }

According to CISA, CISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1
https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js

Is this package safe to bump up the version to 0.7.30 or higher? Does "^0.7.28" guarantee that this package will not install compromised versions on npm install?

ryank425 avatar Oct 24 '21 21:10 ryank425

Does "^0.7.28" guarantee that this package will not install compromised versions on npm install?

Well … not by itself, since ^0.7.28 means "any version with major 0, minor 7 and at least patch 28" (see npm's SemVer calculator).

But it seems like the malicious versions have been removed from npm, so ^0.7.28 should be safe in practice (but don't quote me on that).

$ npm install --save ua-parser-js@^0.7.28

added 1 package, and audited 2 packages in 545ms

1 package is looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ cat package.json 
{
  […]
  "dependencies": {
    "ua-parser-js": "^0.7.30"
  }
}

$ cat package-lock.json 
{
  […]
  "packages": {
    […]
    "node_modules/ua-parser-js": {
      "version": "0.7.30",
      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.30.tgz",
      "integrity": "sha512-uXEtSresNUlXQ1QL4/3dQORcGv7+J2ookOG2ybA/ga9+HYEXueT2o+8dUJQkpedsyTyCJ6jCCirRcKtdtx1kbg==",
      […]
    }
  },
  "dependencies": {
    "ua-parser-js": {
      "version": "0.7.30",
      "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.30.tgz",
      "integrity": "sha512-uXEtSresNUlXQ1QL4/3dQORcGv7+J2ookOG2ybA/ga9+HYEXueT2o+8dUJQkpedsyTyCJ6jCCirRcKtdtx1kbg=="
    }
  }
}

$ npm install --save [email protected]
npm ERR! code ETARGET
npm ERR! notarget No matching version found for [email protected].
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

SimonAlling avatar Oct 25 '21 11:10 SimonAlling

hello, in order to avoid potential compromised package, could you fix the version like this please :

"devDependencies": {
 ...
   "ua-parser-js": "0.7.28",
   ...
 }

kirakishin avatar Oct 25 '21 12:10 kirakishin

i make this changes on my side, in order to avoid potential issue if a new release >=0.7.x is published again :

"resolutions": {
    "ua-parser-js": "0.7.28"
  }

kirakishin avatar Oct 25 '21 14:10 kirakishin

According to the advisory, version 0.7.30 is fixed.

"devDependencies": {
 ...
   "ua-parser-js": ">=0.7.30",
   ...
 }

AlexanderWright avatar Oct 27 '21 10:10 AlexanderWright

I'll look into this soon. Sorry for the delay

jhiesey avatar Jan 15 '22 01:01 jhiesey