elements icon indicating copy to clipboard operation
elements copied to clipboard
verified publisher icon stoplightio

@stoplight/elements vulnerable to CVE-2020-7598

Open AaronSterlingGENEICD opened this issue 4 years ago • 4 comments

Describe the bug

@stoplight/elements depends on json-schema-generator, which uses the legacy optimist package. optimist is vulnerable to CVE-2020-7598. Since optimist has not been updated for 8 years, teams are switching to other libraries. (Example) However, json-schema-generator has not been updated for 4 years, so is unlikely to move off optimist. Hence, my bug report to stoplight!

To Reproduce

Install @stoplight/elements 6 or later, and run npm audit --production.

Expected behavior

npm reports no production vulnerabilities.

Additional context

Angular 13 / @stoplight/elements

Screenshots Output of npm audit --production:

minimist <0.2.1 Severity: moderate Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m fix available via npm audit fix --force Will install @stoplight/[email protected], which is a breaking change node_modules/optimist/node_modules/minimist optimist >=0.6.0 Depends on vulnerable versions of minimist node_modules/optimist json-schema-generator * Depends on vulnerable versions of optimist node_modules/json-schema-generator @stoplight/http-spec 2.11.0 - 4.3.0 Depends on vulnerable versions of json-schema-generator node_modules/@stoplight/http-spec @stoplight/elements >=6.0.0-alpha.1 Depends on vulnerable versions of @stoplight/elements-core Depends on vulnerable versions of @stoplight/http-spec node_modules/@stoplight/elements

Environment (remove any that are not applicable): Worth noting: npm audit fix --force does not fix the problem.

Would it be possible to move off json-schema-generator?

We are currently using Stoplight as: served by AWS Cloudfront for a low-impact developer documentation website, as an advanced proof of concept. It looks great -- thank you so much. But we've also made a note on the calendar to find a different solution if the prod vulnerabilities are not eventually remediated. We can only use Stoplight long-term if npm audit --production returns 0 vulnerabilities.

AaronSterlingGENEICD avatar Dec 31 '21 09:12 AaronSterlingGENEICD

@mnaumanali94 ping!

philsturgeon avatar Jan 04 '22 16:01 philsturgeon

Hey team! Please add your planning poker estimate with ZenHub @mallachari @mmiask @mpodlasin @Nezteb @paulatulis @wmhilton @domagojk

mnaumanali94 avatar Jan 11 '22 15:01 mnaumanali94

I will just add it appears that we are using json-schema-generator in literally one line of http-spec, so I guess swapping it for something shouldn't be too difficult.

mpodlasin avatar Jan 18 '22 13:01 mpodlasin

Probably a good idea to ditch that dependency anyway as it's not been updated for four years and is based on draft4.

image

Stoplight does have an old fork knocking around used by api-spec-converter (defunct and should be deleted) which could be updated if you wanted to make a quick change, but finding something else is probably an option.

philsturgeon avatar Jan 20 '22 11:01 philsturgeon