Security vulnerability in passport-azure-ad > bunyan > mv > mkdirp > minimist dependency chain

[ydogandjiev]

Core Library

Passport Azure AD (passport-azure-ad)

Core Library Version

4.3.1

Wrapper Library

Not Applicable

Wrapper Library Version

None

Description

The following dependency chaining originating in passport-azure-ad introduces a security vulnerability which is getting flagged by GitHub's Dependabot:
passport-azure-ad > bunyan > mv > mkdirp > minimist

The issue was reported to bunyan a while back but it looks like the project's maintainers have no interest in fixing it (or the resources to do so):
trentm/node-bunyan#667

Can you please consider removing passport-azure-ad's dependency on bunyan in order to eliminate this high severity vulnerability?

Error Message

No response

Msal Logs

No response

MSAL Configuration

N/A

Relevant Code Snippets

N/A

Reproduction Steps

N/A

Expected Behavior

N/A

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response

Source

Internal (Microsoft)

[sameerag]

@ydogandjiev We are working on a new validation library and hence passport-azure-ad is not being actively updated. However let me check with @jo-arroyo if this security vulnerability will be fixed. We are close to private preview and the preference will be on the new library release to the public asap. cc @EmLauber

[sameerag]

@pkanher617 Assigning to you as you are working on the passport-azure-ad patching up for a few related issues.

[ghost]

@ydogandjiev This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

[erik-neumann]

We're running into this as well. Various high severity security issues are reported by our code / dependency analysis. This is also affecting almost any of products, and authentication isn't on of the topics where I would say security is minor important or critical. Any idea of a timeline, or is there any workaround we can implement until this is fixed?

[jasonnutter]

I believe this should be addressed if you pick up the latest version of mkdirp, which has been bumped to minimist@1.2.6:

npm ls minimist --prod
passport-azure-ad@4.3.1 microsoft-authentication-library-for-js\maintenance\passport-azure-ad
└─┬ bunyan@1.8.15
  └─┬ mv@2.1.1
    └─┬ mkdirp@0.5.6
      └── minimist@1.2.6

Please regenerate your lock files and confirm, thanks! @ydogandjiev @erik-neumann

[erik-neumann]

Thanks @jasonnutter for your response. Actually we have multiple packages that seem to contain vulnerabilities.

• qs-6.5.3
• async-1.5.2
• minimist-1.2.5
• moment-2.29.1
• node-forge-1.2.1

I tried your approach by referencing the affected packages directly. That resolved some of the issues but not all. Still async and qs is having issues. qs seems to be referenced by request package that is not even been maintained anymore.

[jasonnutter]

@erik-neumann Did removing your node_modules folder and regenerating your lock file address the minimist dependency specifically?

[erik-neumann]

@jasonnutter yes, minimist was fine then. Issue remains with async and qs referenced by request.

[jasonnutter]

@erik-neumann Thanks for confirming. We are aware of the issues with async and request, so I will close this.