Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit fix downgrades to 2.0.0-dev9 #1784

Open
tsondergaard opened this issue Jan 26, 2023 · 9 comments
Open

npm audit fix downgrades to 2.0.0-dev9 #1784

tsondergaard opened this issue Jan 26, 2023 · 9 comments
Labels
investigate

Comments

@tsondergaard
Copy link

Version info: 

2.0.0-28

Steps to reproduce:

mkdir example
cd example
npm init --force
npm install --save artillery
npx artillery version
npm audit fix
npx artillery version

Shell session running the commands above with some long irrelevant output replaced with ...:

$ mkdir example
$ cd example
$ npm init --force
...
...
$ npm install --save artillery
...
...
7 vulnerabilities (4 moderate, 2 high, 1 critical)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

$ npx artillery version
...
...
VERSION INFO:

Artillery: 2.0.0-28
Node.js:   v18.1.0
OS:        linux

$ npm audit fix
npm WARN audit fix [email protected] node_modules/tap/node_modules/minimatch
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/tap
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the tap package.
npm WARN audit fix [email protected] node_modules/tap/node_modules/json5
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/tap
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the tap package.
npm WARN audit fix [email protected] node_modules/tap/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/tap
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the tap package.
npm WARN deprecated [email protected]: This module relies on Node.js's internals and will break at some point. Do not use it, and update to [email protected].
npm WARN deprecated [email protected]: flatten is deprecated in favor of utility frameworks such as lodash.
npm WARN deprecated [email protected]: The sprintf package is deprecated in favor of sprintf-js.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: This version of Artillery is outdated, please upgrade to a more recent one.

added 446 packages, removed 754 packages, changed 41 packages, and audited 817 packages in 10s

110 packages are looking for funding
  run `npm fund` for details

# npm audit report

dot-prop  <4.2.1
Severity: high
dot-prop Prototype Pollution vulnerability - https://github.com/advisories/GHSA-ff7x-qrg7-qggm
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/utils-is-little-endian/node_modules/dot-prop
  configstore  2.0.0 - 2.1.0 || 3.1.3
  Depends on vulnerable versions of dot-prop
  node_modules/utils-is-little-endian/node_modules/configstore
    update-notifier  0.2.0 - 5.1.0
    Depends on vulnerable versions of configstore
    Depends on vulnerable versions of latest-version
    node_modules/artillery-pro/node_modules/update-notifier
    node_modules/ava/node_modules/update-notifier
    node_modules/update-notifier
    node_modules/utils-is-little-endian/node_modules/update-notifier
      artillery  >=1.5.7-0
      Depends on vulnerable versions of artillery-pro
      Depends on vulnerable versions of ava
      Depends on vulnerable versions of update-notifier
      node_modules/artillery
      ava  0.1.0 - 4.0.0-rc.1
      Depends on vulnerable versions of update-notifier
      node_modules/ava

ejs  <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ejs
  artillery-pro  *
  Depends on vulnerable versions of cfn
  Depends on vulnerable versions of ejs
  Depends on vulnerable versions of jsonwebtoken
  Depends on vulnerable versions of update-notifier
  node_modules/artillery-pro

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/artillery-pro/node_modules/package-json/node_modules/got
node_modules/package-json/node_modules/got
node_modules/utils-is-little-endian/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/artillery-pro/node_modules/package-json
  node_modules/package-json
  node_modules/utils-is-little-endian/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/artillery-pro/node_modules/latest-version
    node_modules/latest-version
    node_modules/utils-is-little-endian/node_modules/latest-version

jsonwebtoken  <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
fix available via `npm audit fix`
node_modules/jsonwebtoken

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow
    cfn  >=1.6.0
    Depends on vulnerable versions of meow
    node_modules/cfn

14 vulnerabilities (4 moderate, 7 high, 3 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
$ npx artillery version

ARTILLERY DEV PREVIEW 🚀
Please report bugs on https://github.com/artilleryio/artillery/issues

artillery/2.0.0-dev9 linux-x64 node-v18.1.0

I expected to see this happen:
I expected npm audit fix to fix the problems.

Instead, this happened:

npm audit fix downgraded from from 2.0.0-28 to 2.0.0-dev9 which just has other/more issues. It seems to me that there is something screwed up with the version numbers since npm audit fix considers it valid to move from 2.0.0-28 to 2.0.0-dev9.
@bemanuel-trove
Copy link

Seeing the same. Also, the critical vulnerability is probably an even bigger issue. @hassy

@hassy
Copy link
Member

hassy commented Feb 8, 2023

Thank you for the report! Can confirm, I'm able to reproduce it. We'll need to look into it. The behavior is odd as2.0.0-dev9 was never tagged as a latest release and has been deprecated, but for some reason npm audit fix must see it as the most recent version that satisfies some advisory in v2.0.0-28.

@bemanuel-trove
Copy link

Thanks, @hassy! Any ideas on the critical vulnerabilities? Would you like me to create a separate issue for that?

@tsondergaard
Copy link
Author

Still an issue with 2.0.0-33.

@hassy
Copy link
Member

hassy commented Jul 11, 2023

We've upgraded a bunch of dependencies recently (e.g. see #1971 and #1933). There are still a couple of dependencies that seem to be causing this issue, we're looking into it!

@carlasuarez
Copy link

Is there any update on this issue?

@tsondergaard
Copy link
Author

Still an issue with 2.0.0-38.

I want to be able to run npm audit fix on my project. I have opened a support case with npm support to see if they can do something in the registry to prevent downgrades to that old 2.0.0-dev9 version of artillery. If they report back with suggestions for something the artillery project needs to do I will add the information here.

@tsondergaard
Copy link
Author

@hassy would you consider trying to unpublish or deprecate 2.0.0-dev9, possibly all 2.0.0-devX packages and see if that fixes the "npm audit fix" issue downgrading to old packages?

@tsondergaard
Copy link
Author

Ah, I see it is already deprecated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
investigate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hassy @tsondergaard @carlasuarez @bemanuel-trove