cli
cli copied to clipboard
Published
20 hours ago •
netlify
netlify
glob-parent, got, and node-fetch security vulnerabilities for [email protected]
Describe the bug
npm flags security vulnerabilities for the packages glob-parent, got, and node-fetch after having installed the latest [email protected]
# npm audit report
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/cpy/node_modules/glob-parent
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/netlify-cli/node_modules/cpy/node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/netlify-cli/node_modules/cpy/node_modules/globby
cpy 7.0.0 - 8.1.2
Depends on vulnerable versions of globby
node_modules/netlify-cli/node_modules/cpy
@netlify/cache-utils *
Depends on vulnerable versions of cpy
node_modules/netlify-cli/node_modules/@netlify/cache-utils
@netlify/build >=0.1.31
Depends on vulnerable versions of @netlify/cache-utils
Depends on vulnerable versions of @netlify/functions-utils
Depends on vulnerable versions of got
Depends on vulnerable versions of update-notifier
node_modules/netlify-cli/node_modules/@netlify/build
netlify-cli >=0.3.4
Depends on vulnerable versions of @netlify/build
Depends on vulnerable versions of gh-release-fetch
Depends on vulnerable versions of node-version-alias
Depends on vulnerable versions of update-notifier
node_modules/netlify-cli
@netlify/functions-utils *
Depends on vulnerable versions of cpy
node_modules/netlify-cli/node_modules/@netlify/functions-utils
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/@netlify/build/node_modules/got
node_modules/netlify-cli/node_modules/download/node_modules/got
node_modules/netlify-cli/node_modules/fetch-node-website/node_modules/got
node_modules/netlify-cli/node_modules/package-json/node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/netlify-cli/node_modules/download
gh-release-fetch *
Depends on vulnerable versions of download
node_modules/netlify-cli/node_modules/gh-release-fetch
fetch-node-website 2.0.0 - 5.0.3
Depends on vulnerable versions of got
node_modules/netlify-cli/node_modules/fetch-node-website
all-node-versions 2.0.0 - 8.0.0
Depends on vulnerable versions of fetch-node-website
node_modules/netlify-cli/node_modules/all-node-versions
node-version-alias <=1.0.1
Depends on vulnerable versions of all-node-versions
Depends on vulnerable versions of normalize-node-version
node_modules/netlify-cli/node_modules/node-version-alias
normalize-node-version 2.0.0 - 10.0.0
Depends on vulnerable versions of all-node-versions
node_modules/netlify-cli/node_modules/normalize-node-version
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/netlify-cli/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/netlify-cli/node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/netlify-cli/node_modules/update-notifier
node-fetch 3.0.0 - 3.2.9
Severity: moderate
node-fetch Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-vp56-6g26-6827
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/@netlify/edge-bundler/node_modules/node-fetch
node_modules/netlify-cli/node_modules/netlify/node_modules/node-fetch
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts
25 vulnerabilities (12 moderate, 13 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Steps to reproduce
- npm i netlify-cli
- npm audit
Configuration
No response
Environment
System: OS: Windows 10 10.0.19044 CPU: (16) x64 AMD Ryzen 7 1700X Eight-Core Processor Memory: 40.85 GB / 63.93 GB Binaries: Node: 16.14.0 - C:\Program Files\nodejs\node.EXE npm: 8.15.1 - C:\Program Files\nodejs\npm.CMD npmPackages: netlify-cli: ^10.15.0 => 10.15.0
@danez - any update on when we might be able to get this resolved?
@danez - any update on when we might be able to get this resolved?
@danez @AndyTurnerNetlify any update? Thanks.
I think we cannot solve this right now, because there are some dependencies that we cannot yet update because of either ESM compatibility or node version restrictions.
I think we cannot solve this right now, because there are some dependencies that we cannot yet update because of either ESM compatibility or node version restrictions.
OK thanks for the explanation.
With the current version (v12.12.0) netlify-cli is still producing some security warnings:
Preparation:
npm init --yes
npm install --save-dev netlify-cli
Audit netlify-cli:
npm audit
# npm audit report
decode-uri-component <0.2.1
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/decode-uri-component
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/@netlify/cache-utils/node_modules/glob-parent
node_modules/netlify-cli/node_modules/@netlify/functions-utils/node_modules/glob-parent
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/netlify-cli/node_modules/@netlify/cache-utils/node_modules/cpy/node_modules/fast-glob
node_modules/netlify-cli/node_modules/@netlify/functions-utils/node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/netlify-cli/node_modules/@netlify/cache-utils/node_modules/cpy/node_modules/globby
node_modules/netlify-cli/node_modules/@netlify/functions-utils/node_modules/globby
cpy 7.0.0 - 8.1.2
Depends on vulnerable versions of globby
node_modules/netlify-cli/node_modules/@netlify/cache-utils/node_modules/cpy
node_modules/netlify-cli/node_modules/@netlify/functions-utils/node_modules/cpy
@netlify/cache-utils *
Depends on vulnerable versions of cpy
node_modules/netlify-cli/node_modules/@netlify/cache-utils
@netlify/build >=0.1.31
Depends on vulnerable versions of @netlify/cache-utils
Depends on vulnerable versions of @netlify/functions-utils
node_modules/netlify-cli/node_modules/@netlify/build
netlify-cli >=2.13.0
Depends on vulnerable versions of @netlify/build
Depends on vulnerable versions of gh-release-fetch
node_modules/netlify-cli
@netlify/functions-utils *
Depends on vulnerable versions of cpy
node_modules/netlify-cli/node_modules/@netlify/functions-utils
got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/download/node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/netlify-cli/node_modules/download
gh-release-fetch *
Depends on vulnerable versions of download
node_modules/netlify-cli/node_modules/gh-release-fetch
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/download/node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/netlify-cli/node_modules/download/node_modules/cacheable-request
14 vulnerabilities (1 low, 2 moderate, 11 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
In addition to security vulnerabilities there are also 5 deprecation notices in [email protected]:
$ npm init -y
$ npm install netlify-cli@15
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
All packages are now at secure versions and npm audit does not report any security issues anymore.
The deprecated packages are something that we will also address at some point and I opened a new issue for that: https://github.com/netlify/cli/issues/5724