client-js icon indicating copy to clipboard operation
client-js copied to clipboard

Published 20 hours ago verified publisher icon smart-on-fhir

npm audit report semver vulnerability

Open plynchnlm opened this issue 11 months ago • 1 comments

Describe the bug After installing fhirclient, the npm audit will report the following:

semver 7.0.0 - 7.5.1 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via npm audit fix node_modules/@expo/image-utils/node_modules/semver @expo/image-utils <=0.0.1-canary-20240109-93608d8 || >=0.3.10-alpha.0 Depends on vulnerable versions of semver node_modules/@expo/image-utils @expo/cli <=0.0.0-canary-20231123-1b19f96-4 || >=0.0.1-canary-20231125-d600e44 Depends on vulnerable versions of @expo/image-utils Depends on vulnerable versions of @expo/prebuild-config node_modules/@expo/cli expo >=50.0.0-alpha.0 Depends on vulnerable versions of @expo/cli node_modules/expo @expo/prebuild-config * Depends on vulnerable versions of @expo/image-utils node_modules/@expo/cli/node_modules/@expo/prebuild-config

5 moderate severity vulnerabilities

To Reproduce npm install fhirclient

Expected behavior No vulnerabilities.

Additional context npm audit has been reporting these vulnerabilities for around a year, I think. I've been waiting for an update to this package, and when I saw an update was made last month, I hoped these would be fixed, but not yet.

I did some investigation in package-lock.json, because the above error messages from npm are not very enlightening. It seems fhirclient depends on isomorphic-webcrypto (not updated for 3 years), which has an optional dependency on "expo-random", which is a deprecated package, and which is likely the cause of the above expo-related problems. Running npm install --no-optional avoids the problem, but I don't know what downsides there are to leaving out all optional packages, and I don't see a way to leave out only expo-random.

plynchnlm avatar Mar 13 '24 00:03 plynchnlm

isomorphic-webcrypto was archived earlier this month and appears to be required solely to support Internet Explorer 11 and Safari versions prior to Safari 11. These browsers appear to have a global usage of just above 0.5%. It is, unfortunately, somewhat more likely that a FHIR environment is going to be using IE11 via an embedded MSHTML control in an EHR, but the fact remains, these are old and unsupported browsers.

It may be time to remove isomorphic-webcryptoand use the WebCrypto APIs directly, while telling users who still need IE11 support to use webcrypto-shim.

dmpotter44 avatar Sep 25 '24 19:09 dmpotter44