Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

process: replace json-rpc2 with vscode-jsonrpc #113

Closed
ramya-rao-a opened this issue May 28, 2020 · 4 comments
Closed

process: replace json-rpc2 with vscode-jsonrpc #113

ramya-rao-a opened this issue May 28, 2020 · 4 comments
Labels
FrozenDueToAge

Comments

@ramya-rao-a
Copy link
Contributor

From microsoft/vscode-go#2861 by @OneOfOne:

┏━ oneofone@voyager ❰~/c/v/vscode-go❱ ❰master|✚2❱
┗━● npm audit

=== npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ json-rpc2                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ json-rpc2 > lodash                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/577                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ json-rpc2                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ json-rpc2 > lodash                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/782                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ json-rpc2                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ json-rpc2 > lodash                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 2 high) in 441 scanned packages
3 vulnerabilities require manual review. See the full report for details.
@ramya-rao-a
Copy link
Contributor Author

We depend on json-rpc2 for the debugging feature that is provided by this extension which in turn depends on v3 of lodash resulting in the above warnings.

Unfortunately, json-rpc2 has not had a release in years.

One option would be to fork the package and update the dependency ourselves.

We could try and see if the vscode-jsonrpc can be a good replacement here

cc @quoctruong

@ramya-rao-a ramya-rao-a mentioned this issue May 28, 2020
Closed
@stamblerre stamblerre changed the title npm audit warnings due to json-rpc2 process: npm audit warnings due to json-rpc2 Jun 3, 2020
@hyangah hyangah mentioned this issue Jun 11, 2020
Closed
@gopherbot
Copy link
Collaborator

Change https://golang.org/cl/241557 mentions this issue: package.json: update json-rpc2 and lodash for security update

gopherbot pushed a commit that referenced this issue Jul 8, 2020
@hyangah
package.json: update json-rpc2 and lodash for security update
c7e26ec 
This was part of https://go-review.googlesource.com/c/vscode-go/+/241041
but we are submitting it as a separate cl.

Fixes issues reported by security issues reported by npm audit.

 npm install --save json-rpc2
 npm update lodash --depth 3

json-rpc2@2.0.0 was released recently, so instead of switching to
vscode-jsonrpc, we are updating to the newest version.

Also updated the extension version 0.16.0-dev to reflect the current dev cycle.

Updates #113

Change-Id: I6a4aae5293fd505ca1ad9c39e485c3adf41c2dec
Reviewed-on: https://go-review.googlesource.com/c/vscode-go/+/241557
Reviewed-by: Rebecca Stambler <rstambler@golang.org>
@hyangah hyangah changed the title process: npm audit warnings due to json-rpc2 process: replace json-rpc2 with vscode-jsonrpc Jul 8, 2020
@hyangah hyangah mentioned this issue Sep 21, 2020
Closed
@hyangah
Copy link
Contributor

hyangah commented Nov 9, 2020

The vulnerability issue was resolved with the latest json-rpc2 release.

I looked into this issue over the last week and found vscode-jsonrpc is not compatible with Delve's JSON RPC.

Delve's json-rpc is not a JSON RPC over HTTP as clearly stated in https://github.com/go-delve/delve/tree/master/Documentation/api/json-rpc#json-rpc-interface. On the other hand vscode-jsonrpc assumes a HTTP header included in each message when operating over socket or stdin/out - as assumed in all the JSON RPCs vscode use. (e.g. LSP, DAP). Delve crashes upon receiving the HTTP header info vscode-jsonrpc.

I couldn't find any other convincing, mature alternative javascript library, and Delve DAP implementation that uses compatible framing (https://github.com/google/go-dap/blob/master/io.go ) is around the corner. So I will just close this.

@hyangah hyangah closed this as completed Nov 9, 2020
@ramya-rao-a
Copy link
Contributor Author

Sounds good, did not realize that json-rpc2 had released an update!

@golang golang locked and limited conversation to collaborators Nov 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hyangah @gopherbot @ramya-rao-a