Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security concerns based on yarn audit #382

Open
aval13 opened this issue Sep 2, 2021 · 1 comment
Open

Security concerns based on yarn audit #382

aval13 opened this issue Sep 2, 2021 · 1 comment
Labels
issue: bug Something isn't working

Comments

@aval13
Copy link

aval13 commented Sep 2, 2021

Running yarn audit on the code produces a worrying output:
1212 vulnerabilities found - Packages audited: 1790
Severity: 48 Low | 161 Moderate | 1003 High
Done in 8.68s.

Expected Behavior

Not report any vulnerability or only a few Lows (maybe).

Current Behavior

1003 High vulnerabilities identified.
Out of all these, 12 CVEs reported,
https://www.npmjs.com/advisories/1603
https://www.npmjs.com/advisories/1654
https://www.npmjs.com/advisories/1673
https://www.npmjs.com/advisories/1678
https://www.npmjs.com/advisories/1679
https://www.npmjs.com/advisories/1753
https://www.npmjs.com/advisories/1762
https://www.npmjs.com/advisories/1770
https://www.npmjs.com/advisories/1771
https://www.npmjs.com/advisories/1779
https://www.npmjs.com/advisories/1780
https://www.npmjs.com/advisories/1781

Possible Solution

Maybe update the version requirements for packages so no vulnerable versions are pulled in?
Also maybe cut on the required modules (split the list into dev and production, now all are production required)?
Downloading 1567 modules seems a bit excessive (although yarn audit reports 1790 packages).
Linking dependencies step makes checks 97856 checks.

Steps to Reproduce

Run:
yarn audit
or
yarn audit --modules-folder /opt/sensu/yarn/node_modules
based on how yarn install was run.

Context

I am trying NOT to deploy a vulnerabile application in a production environment.

Your Environment

  • Sensu version used (sensuctl, sensu-backend, and/or sensu-agent): 6.4.0 (not relevant in this context)
  • Installation method (packages, binaries, docker etc.): yarn and nodejs installed from official upstream debs
  • Operating System and version (e.g. Ubuntu 14.04): Debian 10
  • Browser used: not relevant in this context

Yarn version:

# yarn --version
1.22.5
# apt-cache policy yarn | head
yarn:
  Installed: 1.22.5-1
  Candidate: 1.22.5-1
  Version table:
 *** 1.22.5-1 500
        500 https://dl.yarnpkg.com/debian stable/main amd64 Packages
        500 https://dl.yarnpkg.com/debian stable/main all Packages
        100 /var/lib/dpkg/status
     1.22.4-1 500
        500 https://dl.yarnpkg.com/debian stable/main amd64 Packages
[..CUT..]
@aval13 aval13 added the issue: bug Something isn't working label Sep 2, 2021
@aval13
Copy link
Author

aval13 commented Sep 2, 2021

8 affected packages by High (--level high) vulnerabilities:
│ Package │ immer │
│ Package │ lodash │
│ Package │ prismjs │
│ Package │ tar │
│ Package │ trim-newlines │
│ Package │ ua-parser-js │
│ Package │ url-parse │
│ Package │ y18n │

PR #379 would fix 1 of them, 7 remaining.

9 packages affected by Moderate (--level moderate produces 17 packages output).
PR #380 would fix one of them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aval13