build: use dot-prop-legacy patch to resolve CVE-2020-8116

[cmdcarini]

Me again! This updates the version of configstore and dot-prop to resolve the vulnerability present in the existing version's dot-prop dependency. This resolves #1584. This utilizes the changes that @ruyadorno created based on this fork and an update to configstore which also includes this patch. This time while retaining Node v6 compatibility.

References

Closes #1584
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

[cmdcarini]

Waiting for downstream dependency dot-prop-legacy to be swapped for the official dot-prop

[cmdcarini]

@ruyadorno looks like just yeoman/update-notifier#187 needs to happen and then npm/cli should be able to be updated to leverage the new dot-prop@legacy

[ruyadorno]

Thanks @cmdcarini! ❤️

Usually updating deps is a part of our regular Release process so I'm sorry I didn't picked up your contribution 😅 normally I try to at least give credit for folks who poke us about updating a dep but in this case the fact that the PR was still in Draft mode made it slip out of my radar.

That said, the update went out yesterday and the dot-prop vulnerability should no longer be a problem in v6.14.8.

Thanks again!

[mtrepanier]

@ruyadorno sorry but in 6.14.8 the faulty dot-prop version is still in that version

https://github.com/npm/cli/blob/v6.14.8/package-lock.json#L1175

[ruyadorno]

@mtrepanier good catch, turns out the v6.14.8 tag wasn't properly published to our upstream repo and thus showing wrong info.

Just fixed that! Thanks for the heads up! 😄

[kamal94]

I still don't see an official release with this fix. Has this code been merged anywhere? On master there are still multiple references to the vulnerable dot-prop package version.

[ruyadorno]

@kamal94 in the latest v6.14.8 we updated it to dot-prop@4.2.1 which contains the fix.

The link you posted to the package-lock.json is also showing up that it's using this fixed 4.2.1 version.

[kamal94]

Thank you for clarifying :) For whatever reason, I had assumed that we needed to upgrade the minor/major version and didn't notice they had backported the fix with a patch release.

Update for clarity:
Looks like we had issues with our installation in the docker image. As of right now, installing npm via apt on ubuntu doesn't download the latest release of npm which includes the fix. So we had to upgrade npm after installing it.

The git diff we needed:

 RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - \
  && apt update \
  && apt install -y nodejs \
+ && npm -g upgrade npm \
  && rm -rf /var/lib/apt/lists \
  && node -v && npm -v

Before using npm -g upgrade npm:

npm --version
6.14.6

After using npm -g upgrade npm:

npm --version
6.14.8