Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical security vulnerabilities in workspace-tools package #581

Closed
jattasNI opened this issue May 26, 2022 · 1 comment · Fixed by #589
Closed

Critical security vulnerabilities in workspace-tools package #581

jattasNI opened this issue May 26, 2022 · 1 comment · Fixed by #589
Assignees
@jattasNI
Labels
bug Something isn't working

Comments

@jattasNI
Copy link
Contributor

🐛 Bug Report

Pipeline runs have started failing on the npm audit steps with this error message:

workspace-tools  <0.18.4
Severity: critical
Command injection in workspace-tools - https://github.com/advisories/GHSA-5875-m6jq-vf78
fix available via `npm audit fix --force`
Will install beachball@1.48.1, which is a breaking change
node_modules/workspace-tools
  beachball  >=1.48.2
  Depends on vulnerable versions of workspace-tools
  node_modules/beachball

2 critical severity vulnerabilities

💻 Repro or Code Sample

https://github.com/ni/nimble/runs/6613829889?check_suite_focus=true

🤔 Expected Behavior

Pipeline succeeds

😯 Current Behavior

Pipeline fails

💁 Possible Solution

Temporarily disable audit. Once a fix is available, upgrade and re-enable audit.

🔦 Context

The vulnerability has been fixed in workspace-tools:
microsoft/workspace-tools#102

But not yet uptaken by beachball:
microsoft/beachball#663
microsoft/beachball#665

🌍 Your Environment

  • OS & Device: [e.g. MacOS, iOS, Windows, Linux] on [iPhone 7, PC]
  • Browser [e.g. Microsoft Edge, Google Chrome, Apple Safari, Mozilla FireFox]
  • Version [e.g. 1.8.0]
@jattasNI jattasNI added bug Something isn't working triage New issue that needs to be reviewed labels May 26, 2022
@jattasNI jattasNI mentioned this issue May 26, 2022
Merged
1 task
jattasNI added a commit that referenced this issue May 26, 2022
@jattasNI
Temporarily disable 'npm audit' on non-production dependencies (#582)
f7602ae 
# Pull Request

## 🤨 Rationale

Workaround for #581 to get the pipeline unblocked while we wait for beachball to publish a fix (or try out updating the transitive dependency on `workspace-tools` ourselves within this repo).

## 👩‍💻 Implementation

Comment out the steps which run `npm audit` in `main.yml`.

I thought we could get away with only disabling the non-production configuration of `npm audit`. But `beachball` (and by extension `workspace-tools`) is listed in `peerDependencies` of our `beackball-lock-update` package and it seems that `audit` includes those when running `--only=prod`.

## 🧪 Testing

Relying on pipeline.

## ✅ Checklist

- [x] I have updated the project documentation to reflect my changes or determined no changes are needed.
@m-akinc m-akinc added blocked Blocked on a third-party issue and removed triage New issue that needs to be reviewed labels Jun 1, 2022
@jattasNI
Copy link
Contributor Author

jattasNI commented Jun 6, 2022

Beachball just published a new version that uptakes the latest workspace-tools so this is no longer blocked.
microsoft/beachball#666

@jattasNI jattasNI removed the blocked Blocked on a third-party issue label Jun 6, 2022
@jattasNI jattasNI self-assigned this Jun 6, 2022
@jattasNI jattasNI mentioned this issue Jun 6, 2022
Merged
1 task
jattasNI added a commit that referenced this issue Jun 6, 2022
@jattasNI
Update some 3rd party dependencies to latest and re-enable 'npm audit' (
216f8bc 
#589)

# Pull Request

## 🤨 Rationale

Fixes #581. We had disabled `npm audit` in our pipelines because of the vulnerability, but beachball published a fix this weekend: microsoft/beachball#666. 

## 👩‍💻 Implementation

1. Install latest version of beachball
2. Re-enable `npm audit` commands in `main.yml`. This revealed new vulnerabilities in several `devDependencies`:  `ejs`, `event-source`, and `json-schema`.
3. Run `npm update` for each of the above dependencies and also `jsprim`, which was needed to get the fixed `json-schema` (`jsprim` pins its deps to exact versions)

I looked into [npm overrides](https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides) which are intended for this purpose but they're not ready for prime time ([poorly documented workspace support](npm/cli#4517) and bizarrely [not usable with an existing package-lock.json](npm/cli#4232) with our current npm version.

## 🧪 Testing

Relying on pipeline.

## ✅ Checklist


- [x] I have updated the project documentation to reflect my changes or determined no changes are needed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jattasNI jattasNI

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update some 3rd party dependencies to latest and re-enable 'npm audit' ni/nimble
2 participants
@m-akinc @jattasNI