Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: package-lock update #879

Merged
merged 1 commit into from
Sep 12, 2021
Merged

Conversation

breautek
Copy link
Contributor

@breautek breautek commented Sep 11, 2021

Platforms affected

Motivation and Context

Resolves several sub-dependency vulnerabilities

Audit JSON Log
{
  "actions": [
    {
      "isMajor": true,
      "action": "install",
      "resolves": [
        {
          "id": 1677,
          "path": "init-package-json>npm-package-arg>hosted-git-info",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1677,
          "path": "init-package-json>read-package-json>normalize-package-data>hosted-git-info",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "init-package-json",
      "target": "2.0.5"
    },
    {
      "action": "update",
      "resolves": [
        {
          "id": 1556,
          "path": "codecov>teeny-request>node-fetch",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "node-fetch",
      "target": "2.6.2",
      "depth": 3
    },
    {
      "action": "update",
      "resolves": [
        {
          "id": 1654,
          "path": "nyc>yargs>y18n",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "y18n",
      "target": "4.0.3",
      "depth": 3
    },
    {
      "action": "update",
      "resolves": [
        {
          "id": 1673,
          "path": "cordova-common>@netflix/nerror>lodash",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "cordova-fetch>cordova-common>@netflix/nerror>lodash",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "cordova-android>cordova-common>@netflix/nerror>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "@cordova/eslint-config>eslint>inquirer>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "rewire>eslint>inquirer>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "@cordova/eslint-config>eslint>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "rewire>eslint>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "@cordova/eslint-config>eslint>table>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "rewire>eslint>table>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/generator>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/generator>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/generator>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/generator>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-module-imports>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-member-expression-to-functions>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-optimise-call-expression>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/template>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/template>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/template>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/template>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-split-export-declaration>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/types>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1673,
          "path": "nyc>istanbul-lib-instrument>@babel/core>lodash",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "lodash",
      "target": "4.17.21",
      "depth": 10
    },
    {
      "action": "update",
      "resolves": [
        {
          "id": 1674,
          "path": "cordova-common>underscore",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1674,
          "path": "cordova-fetch>cordova-common>underscore",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1674,
          "path": "cordova-android>cordova-common>underscore",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "underscore",
      "target": "1.13.1",
      "depth": 3
    },
    {
      "action": "update",
      "resolves": [
        {
          "id": 1677,
          "path": "cordova-fetch>npm-package-arg>hosted-git-info",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "hosted-git-info",
      "target": "3.0.8",
      "depth": 3
    },
    {
      "action": "update",
      "resolves": [
        {
          "id": 1751,
          "path": "cordova-common>fast-glob>glob-parent",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1751,
          "path": "cordova-fetch>cordova-common>fast-glob>glob-parent",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1751,
          "path": "cordova-android>cordova-common>fast-glob>glob-parent",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1751,
          "path": "globby>fast-glob>glob-parent",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1751,
          "path": "@cordova/eslint-config>eslint>glob-parent",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1751,
          "path": "rewire>eslint>glob-parent",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "glob-parent",
      "target": "5.1.2",
      "depth": 4
    },
    {
      "action": "update",
      "resolves": [
        {
          "id": 1773,
          "path": "cordova-fetch>resolve>path-parse",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1773,
          "path": "init-package-json>read-package-json>normalize-package-data>resolve>path-parse",
          "dev": false,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1773,
          "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1773,
          "path": "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1773,
          "path": "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1773,
          "path": "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1773,
          "path": "nyc>istanbul-lib-instrument>@babel/core>resolve>path-parse",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "path-parse",
      "target": "1.0.7",
      "depth": 7
    },
    {
      "action": "review",
      "module": "xmldom",
      "resolves": [
        {
          "id": 1650,
          "path": "cordova-common>plist>xmldom",
          "dev": false,
          "bundled": false,
          "optional": false
        },
        {
          "id": 1650,
          "path": "cordova-fetch>cordova-common>plist>xmldom",
          "dev": false,
          "bundled": false,
          "optional": false
        },
        {
          "id": 1650,
          "path": "cordova-android>cordova-common>plist>xmldom",
          "dev": false,
          "bundled": false,
          "optional": false
        },
        {
          "id": 1769,
          "path": "cordova-common>plist>xmldom",
          "dev": false,
          "bundled": false,
          "optional": false
        },
        {
          "id": 1769,
          "path": "cordova-fetch>cordova-common>plist>xmldom",
          "dev": false,
          "bundled": false,
          "optional": false
        },
        {
          "id": 1769,
          "path": "cordova-android>cordova-common>plist>xmldom",
          "dev": false,
          "bundled": false,
          "optional": false
        }
      ]
    },
    {
      "action": "review",
      "module": "hosted-git-info",
      "resolves": [
        {
          "id": 1677,
          "path": "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ]
    }
  ],
  "advisories": {
    "1556": {
      "findings": [
        {
          "version": "2.6.0",
          "paths": [
            "codecov>teeny-request>node-fetch"
          ]
        }
      ],
      "id": 1556,
      "created": "2020-09-10T17:55:53.926Z",
      "updated": "2020-09-10T17:55:53.926Z",
      "deleted": null,
      "title": "Denial of Service",
      "found_by": {
        "link": "",
        "name": "Unknown",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Unknown",
        "email": ""
      },
      "module_name": "node-fetch",
      "cves": [
        "CVE-2020-15168"
      ],
      "vulnerable_versions": "< 2.6.1 || >= 3.0.0-beta.1 < 3.0.0-beta.9",
      "patched_versions": ">=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9",
      "overview": "Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.\n\nFor most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.",
      "recommendation": "Upgrade to version 2.6.1 or 3.0.0-beta.9",
      "references": "- https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r",
      "access": "public",
      "severity": "low",
      "cwe": "CWE-400",
      "metadata": {
        "module_type": "",
        "exploitability": 3,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1556"
    },
    "1650": {
      "findings": [
        {
          "version": "0.1.31",
          "paths": [
            "cordova-common>plist>xmldom",
            "cordova-fetch>cordova-common>plist>xmldom",
            "cordova-android>cordova-common>plist>xmldom"
          ]
        }
      ],
      "id": 1650,
      "created": "2021-03-12T22:42:38.486Z",
      "updated": "2021-03-12T22:42:38.486Z",
      "deleted": null,
      "title": "Misinterpretation of malicious XML input",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "xmldom",
      "cves": [
        "CVE-2021-21366"
      ],
      "vulnerable_versions": "<0.5.0",
      "patched_versions": ">=0.5.0",
      "overview": "### Impact\n\n`xmldom` versions 0.4.0 and older do not correctly preserve [system identifiers](https://www.w3.org/TR/2008/REC-xml-20081126/#d0e4313), [FPIs](https://en.wikipedia.org/wiki/Formal_Public_Identifier) or [namespaces](https://www.w3.org/TR/xml-names11/) when repeatedly parsing and serializing maliciously crafted documents.\n\nThis may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.",
      "recommendation": "Update to 0.5.0 or later",
      "references": "- [GitHub Security Advisory](https://github.com/advisories/GHSA-h6q6-9hqw-rwfv)\n- [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21366)\n- [Similar advisory for Go standard library](https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/)",
      "access": "public",
      "severity": "low",
      "cwe": "CWE-115",
      "metadata": {
        "module_type": "",
        "exploitability": 3,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1650"
    },
    "1654": {
      "findings": [
        {
          "version": "4.0.0",
          "paths": [
            "nyc>yargs>y18n"
          ]
        }
      ],
      "id": 1654,
      "created": "2021-03-12T23:16:43.813Z",
      "updated": "2021-03-29T16:07:59.314Z",
      "deleted": null,
      "title": "Prototype Pollution",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "y18n",
      "cves": [
        "CVE-2020-7774"
      ],
      "vulnerable_versions": "<3.2.2||=4.0.0||>=5.0.0 <5.0.5",
      "patched_versions": ">=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0",
      "overview": "`y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.\n\n## POC\n\n```\nconst y18n = require('y18n')();\n \ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); // true\n```",
      "recommendation": "Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later",
      "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-7774)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-Y18N-1021887)",
      "access": "public",
      "severity": "high",
      "cwe": "CWE-1321",
      "metadata": {
        "module_type": "",
        "exploitability": 7,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1654"
    },
    "1673": {
      "findings": [
        {
          "version": "4.17.19",
          "paths": [
            "cordova-common>@netflix/nerror>lodash",
            "cordova-fetch>cordova-common>@netflix/nerror>lodash",
            "cordova-android>cordova-common>@netflix/nerror>lodash",
            "@cordova/eslint-config>eslint>inquirer>lodash",
            "rewire>eslint>inquirer>lodash",
            "@cordova/eslint-config>eslint>lodash",
            "rewire>eslint>lodash",
            "@cordova/eslint-config>eslint>table>lodash",
            "rewire>eslint>table>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/generator>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/generator>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/generator>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/generator>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-module-imports>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-member-expression-to-functions>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/helper-optimise-call-expression>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/helper-get-function-arity>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/template>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/template>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/template>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/template>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/template>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-function-name>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-function-name>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/helper-split-export-declaration>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-split-export-declaration>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-simple-access>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/types>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/helper-replace-supers>@babel/traverse>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helpers>@babel/traverse>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/traverse>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>lodash",
            "nyc>istanbul-lib-instrument>@babel/core>lodash"
          ]
        }
      ],
      "id": 1673,
      "created": "2021-05-06T16:14:39.514Z",
      "updated": "2021-05-06T16:24:12.299Z",
      "deleted": null,
      "title": "Command Injection",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "lodash",
      "cves": [
        "CVE-2021-23337"
      ],
      "vulnerable_versions": "<4.17.21",
      "patched_versions": ">=4.17.21",
      "overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
      "recommendation": "Upgrade to version 4.17.21 or later",
      "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)\n- [GitHub Advisory](https://github.com/advisories/GHSA-35jh-r3h4-6jhm)\n- [Snyk Advisory](https://snyk.io/vuln/SNYK-JS-LODASH-1040724)",
      "access": "public",
      "severity": "high",
      "cwe": "CWE-77",
      "metadata": {
        "module_type": "",
        "exploitability": 7,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1673"
    },
    "1674": {
      "findings": [
        {
          "version": "1.10.2",
          "paths": [
            "cordova-common>underscore",
            "cordova-fetch>cordova-common>underscore",
            "cordova-android>cordova-common>underscore"
          ]
        }
      ],
      "id": 1674,
      "created": "2021-05-06T16:14:45.792Z",
      "updated": "2021-05-06T16:26:42.768Z",
      "deleted": null,
      "title": "Arbitrary Code Execution",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "underscore",
      "cves": [
        "CVE-2021-23358"
      ],
      "vulnerable_versions": ">=1.3.2 <1.12.1",
      "patched_versions": ">=1.12.1",
      "overview": "The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.",
      "recommendation": "Upgrade to versions 1.12.1 or 1.13.0-2 or later",
      "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23358)\n- [GitHub Advisory](https://github.com/advisories/GHSA-cf4h-3jhx-xvhq)\n",
      "access": "public",
      "severity": "high",
      "cwe": "CWE-94",
      "metadata": {
        "module_type": "",
        "exploitability": 7,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1674"
    },
    "1677": {
      "findings": [
        {
          "version": "3.0.5",
          "paths": [
            "cordova-fetch>npm-package-arg>hosted-git-info"
          ]
        },
        {
          "version": "2.8.8",
          "paths": [
            "init-package-json>npm-package-arg>hosted-git-info"
          ]
        },
        {
          "version": "2.8.8",
          "paths": [
            "init-package-json>read-package-json>normalize-package-data>hosted-git-info",
            "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>hosted-git-info"
          ]
        }
      ],
      "id": 1677,
      "created": "2021-05-06T16:15:08.412Z",
      "updated": "2021-05-07T17:41:14.327Z",
      "deleted": null,
      "title": "Regular Expression Denial of Service",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "hosted-git-info",
      "cves": [
        "CVE-2021-23362"
      ],
      "vulnerable_versions": "<2.8.9 || >=3.0.0 <3.0.8",
      "patched_versions": ">=2.8.9 <3.0.0 || >=3.0.8",
      "overview": "`hosted-git-info` before versions 2.8.9 and 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity",
      "recommendation": "Upgrade to version 3.0.8 or later",
      "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23362)\n- [GitHub Advisory](https://github.com/advisories/GHSA-43f8-2h32-f4cj)\n",
      "access": "public",
      "severity": "moderate",
      "cwe": "CWE-400",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1677"
    },
    "1751": {
      "findings": [
        {
          "version": "5.1.1",
          "paths": [
            "cordova-common>fast-glob>glob-parent",
            "cordova-fetch>cordova-common>fast-glob>glob-parent",
            "cordova-android>cordova-common>fast-glob>glob-parent",
            "globby>fast-glob>glob-parent",
            "@cordova/eslint-config>eslint>glob-parent",
            "rewire>eslint>glob-parent"
          ]
        }
      ],
      "id": 1751,
      "created": "2021-06-07T21:57:10.135Z",
      "updated": "2021-06-07T21:58:07.745Z",
      "deleted": null,
      "title": "Regular expression denial of service",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "glob-parent",
      "cves": [
        "CVE-2020-28469"
      ],
      "vulnerable_versions": "<5.1.2",
      "patched_versions": ">=5.1.2",
      "overview": "`glob-parent` before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.",
      "recommendation": "Upgrade to version 5.1.2 or later",
      "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-28469)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww39-953v-wcq6)\n",
      "access": "public",
      "severity": "moderate",
      "cwe": "CWE-400",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1751"
    },
    "1769": {
      "findings": [
        {
          "version": "0.1.31",
          "paths": [
            "cordova-common>plist>xmldom",
            "cordova-fetch>cordova-common>plist>xmldom",
            "cordova-android>cordova-common>plist>xmldom"
          ]
        }
      ],
      "id": 1769,
      "created": "2021-08-03T16:57:27.020Z",
      "updated": "2021-08-03T16:57:57.748Z",
      "deleted": null,
      "title": "Misinterpretation of malicious XML input",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "xmldom",
      "cves": [
        "CVE-2021-32796"
      ],
      "vulnerable_versions": "<0.7.0",
      "patched_versions": ">=0.7.0",
      "overview": "### Impact\nxmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Patches\nUpdate to 0.7.0\n(see issue #271 for the status of publishing the version to npm or join for Q&A/discussion #270 until it's resolved)\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [`xmldom/xmldom`](https://github.com/xmldom/xmldom)\n* Email us: send an email to **all** addresses that are shown by `npm owner ls xmldom`\n",
      "recommendation": "Upgrade to version 0.7.0 or later",
      "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-32796)\n- [GitHub Advisory](https://github.com/advisories/GHSA-5fg8-2547-mr8q)\n",
      "access": "public",
      "severity": "moderate",
      "cwe": "CWE-116",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1769"
    },
    "1773": {
      "findings": [
        {
          "version": "1.0.6",
          "paths": [
            "cordova-fetch>resolve>path-parse",
            "init-package-json>read-package-json>normalize-package-data>resolve>path-parse",
            "@cordova/eslint-config>eslint-plugin-import>read-pkg-up>read-pkg>normalize-package-data>resolve>path-parse",
            "@cordova/eslint-config>eslint-plugin-import>eslint-import-resolver-node>resolve>path-parse",
            "@cordova/eslint-config>eslint-plugin-import>resolve>path-parse",
            "@cordova/eslint-config>eslint-plugin-node>resolve>path-parse",
            "nyc>istanbul-lib-instrument>@babel/core>resolve>path-parse"
          ]
        }
      ],
      "id": 1773,
      "created": "2021-08-10T15:59:47.884Z",
      "updated": "2021-08-10T16:00:43.559Z",
      "deleted": null,
      "title": "Regular Expression Denial of Service in path-parse",
      "found_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "Anonymous",
        "email": ""
      },
      "module_name": "path-parse",
      "cves": [
        "CVE-2021-23343"
      ],
      "vulnerable_versions": "<1.0.7",
      "patched_versions": ">=1.0.7",
      "overview": "Affected versions of `path-parse` are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.",
      "recommendation": "Upgrade to version 1.0.7 or later",
      "references": "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-23343)\n- [GitHub Advisory](https://github.com/advisories/GHSA-hj48-42vr-x3v9)\n",
      "access": "public",
      "severity": "moderate",
      "cwe": "CWE-400",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1773"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 4,
      "moderate": 20,
      "high": 50,
      "critical": 0
    },
    "dependencies": 196,
    "devDependencies": 310,
    "optionalDependencies": 0,
    "totalDependencies": 506
  },
  "runId": "24f0391a-5957-4d0e-b2b1-e4fde692a0df"
}

Description

Testing

Checklist

  • I've run the tests to see all new and existing tests pass
  • I added automated test coverage as appropriate for this change
  • Commit is prefixed with (platform) if this change only applies to one platform (e.g. (android))
  • If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct keyword to close issues using keywords)
  • I've updated the documentation if necessary

@codecov-commenter
Copy link

codecov-commenter commented Sep 11, 2021

Codecov Report

Merging #879 (96309ed) into master (dd872f0) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #879   +/-   ##
=======================================
  Coverage   91.13%   91.13%           
=======================================
  Files          45       45           
  Lines        2053     2053           
=======================================
  Hits         1871     1871           
  Misses        182      182           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dd872f0...96309ed. Read the comment docs.

Copy link
Member

@NiklasMerz NiklasMerz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Audit issues are really annoying. Tests pass and 0 audit issues in lib now.

Thanks 👍

Edit: This test was flawed as I thought my NPM credentials changed

Copy link
Member

@NiklasMerz NiklasMerz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just checked package.json again and found out all URLs point to a totalpave registry: https://registry.totalpave.com

@breautek Please rebuild package-lock.json again with the NPM registry setup.

Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.

@dpogue
Copy link
Member

dpogue commented Sep 11, 2021

Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.

Will the older npm versions on older node versions on GHA properly handle the updated lockfile format?

@breautek
Copy link
Contributor Author

I just checked package.json again and found out all URLs point to a totalpave registry: https://registry.totalpave.com

@breautek Please rebuild package-lock.json again with the NPM registry setup.

Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.

Argh! Oops!

That's work stuff bleeding in... ill fix it when i get home

@breautek
Copy link
Contributor Author

Do we want to upgrade to the new lockfile version as well? My NPM started to print these warnings but I don't know the changes and consequences yet.

Will the older npm versions on older node versions on GHA properly handle the updated lockfile format?

Npm will still work with a message that "it will try its best".

But not really sure what that means exactly.

@breautek
Copy link
Contributor Author

@NiklasMerz do you think there would be pushback if we start adding .npmrc configs to our cordova repos to re-assert npm registry is npms official registry?

Would avoid mistakes like this in the future by having a project level npm config.

@breautek
Copy link
Contributor Author

Set my registry back to registry.npmjs.org and regenerated the package-lock. This PR is rebased for the correction.

@breautek breautek merged commit fd98199 into apache:master Sep 12, 2021
@breautek breautek deleted the pkg-lock-update branch September 12, 2021 09:59
@purplecabbage
Copy link
Contributor

Mostly we should not be committing package-lock, except for the cli itself ... am I missing something?

@breautek
Copy link
Contributor Author

breautek commented Sep 12, 2021

Package-lock is intended to be committed, as it ensures that two developers on two different machines will install the exact same dependencies when they run npm install.

Not to be confused when users are using this package as a library, in which case their root package-lock is used.

From NPM: https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json

This file is intended to be committed into source repositories, and serves various purposes:

Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.

Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.

Facilitate greater visibility of tree changes through readable source control diffs.

Optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.

As of npm v7, lockfiles include enough information to gain a complete picture of the package tree, reducing the need to read package.json files, and allowing for significant performance improvements.

@purplecabbage
Copy link
Contributor

This sums up what I think ...
Apps yes, libs no

sindresorhus/ama#479 (comment)

@breautek
Copy link
Contributor Author

There was a consensus back in 2018 via apache/cordova#4 (comment) to add package-locks, which is why variety of our packages have package-locks.

If you ask my personal opinion on package-locks, I hate them, mostly for the reasons described by sindresorhus.

However, not committing them still presents the same issues described by sindresorhus, unless we (the maintainers) are constantly wiping the package-lock & node_modules and reinstalling from scratch. We could configure NPM via .npmrc to disable package locks so they won't be generated in the first place but this also have a few consequences:

  1. node_modules are not automatically pruned if package-locks are disabled. They can be manually pruned via npm prune.
  2. NPM installs will be slower (however not sure how significant since most cordova repos are fairly small anyway)
  3. npm ci command requires package-lock or shrinkwrap, so CI workflows may have to be updated accordingly to use npm install instead.
  4. npm audit I believe also requires package-lock or shrinkwrap

Despite it's flaws I think the benefits of package-lock still outweighs the consequences of not committing/disabling package-lock.

@purplecabbage
Copy link
Contributor

Okay, yeah that makes sense.
Let's commit 'em

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants