[Bug 41587] New: node audit identified several vulnerable node dependencies
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Bug ID: 41587 Summary: node audit identified several vulnerable node dependencies Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: paul.derscheid@lmscloud.de QA Contact: testopia@bugs.koha-community.org Created attachment 191211 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=191211&action=edit Dependency report from Jenkins Koha_Main_node_audit run #121 identified several vulnerable node dependencies. Not sure yet whether it makes more sense to attach the generated artifact or copy paste it into the summary, attached it this time. Let me know what you think. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #1 from Paul Derscheid <paul.derscheid@lmscloud.de> --- Created attachment 191212 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=191212&action=edit Bug 41587: Fix critical and high severity node dependency vulnerabilities - Upgrade gulp-exec to ^5.0.0 (fixes lodash.template HIGH) - Add resolution for form-data ^2.5.4 (CRITICAL) - Add resolution for braces ^3.0.3 (HIGH) - Add resolution for qs ^6.14.1 (HIGH) Test plan: - yarn audit --level high should show 0 vulnerabilities - yarn build && yarn build:prod should complete without errors - yarn cypress run should return without (or currently expected) errors @RM: You will need to push yarn.lock as well -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #2 from Paul Derscheid <paul.derscheid@lmscloud.de> --- Created attachment 191213 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=191213&action=edit Bug 41587: Fix moderate severity node dependency vulnerabilities - Add resolution for micromatch ^4.0.8 - Add resolution for @cypress/request ^3.0.0 - Add resolution for js-yaml ^4.1.1 Test plan: - yarn audit --level moderate should show reduced vulnerability count - yarn build && yarn build:prod should complete without errors - yarn cypress run should complete without (or currently expected) errors @RM: You will need to push yarn.lock as well -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #191213|0 |1 is obsolete| | --- Comment #4 from Paul Derscheid <paul.derscheid@lmscloud.de> --- Created attachment 191215 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=191215&action=edit Bug 41587: Fix moderate severity node dependency vulnerabilities - Add resolution for micromatch ^4.0.8 - Add resolution for @cypress/request ^3.0.0 - Add resolution for js-yaml ^4.1.1 Test plan: - yarn audit --level moderate should show reduced vulnerability count - yarn build && yarn build:prod should complete without errors - yarn cypress run should complete without (or currently expected) errors @RM: You will need to push yarn.lock as well -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #191212|0 |1 is obsolete| | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #191215|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #5 from David Nind <david@davidnind.com> --- Created attachment 191227 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=191227&action=edit Bug 41587: Fix critical and high severity node dependency vulnerabilities - Upgrade gulp-exec to ^5.0.0 (fixes lodash.template HIGH) - Add resolution for form-data ^2.5.4 (CRITICAL) - Add resolution for braces ^3.0.3 (HIGH) - Add resolution for qs ^6.14.1 (HIGH) Test plan: - yarn audit --level high should show 0 vulnerabilities - yarn build && yarn build:prod should complete without errors - yarn cypress run should return without (or currently expected) errors @RM: You will need to push yarn.lock as well Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #6 from David Nind <david@davidnind.com> --- Created attachment 191228 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=191228&action=edit Bug 41587: Fix moderate severity node dependency vulnerabilities - Add resolution for micromatch ^4.0.8 - Add resolution for @cypress/request ^3.0.0 - Add resolution for js-yaml ^4.1.1 Test plan: - yarn audit --level moderate should show reduced vulnerability count - yarn build && yarn build:prod should complete without errors - yarn cypress run should complete without (or currently expected) errors @RM: You will need to push yarn.lock as well Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com --- Comment #7 from David Nind <david@davidnind.com> --- Testing notes (using KTD): Before ====== yarn audit --level high ~~~~~~~~~~~~~~~~~~~~~~~ ... 31 vulnerabilities found - Packages audited: 1770 Severity: 15 Moderate | 15 High | 1 Critical Done in 1.84s. yarn cypress run ~~~~~~~~~~~~~~~~ Failed tests: ✖ KohaTable/PendingHolds_spec.ts ✖ Tools/ManageMarcImport_spec.ts ✖ t/api-client.ts ✖ t/insertData.ts After ===== yarn audit --level high ~~~~~~~~~~~~~~~~~~~~~~~ yarn audit v1.22.22 10 vulnerabilities found - Packages audited: 1654 Severity: 2 Low | 8 Moderate Done in 3.62s yarn cypress run ~~~~~~~~~~~~~~~~ Failed tests: ✖ KohaTable/PendingHolds_spec.ts ✖ t/api-client.ts ✖ t/insertData.ts ✖ 3 of 42 failed (7%) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #9 from Paul Derscheid <paul.derscheid@lmscloud.de> --- Created attachment 194284 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=194284&action=edit Bug 41587: (follow-up) Fix newly reported dependency vulnerabilities - Bump minimatch dependency and resolution from ^3.0.2 to ^3.1.4 (HIGH) - Bump lodash dependency and resolution from ^4.17.12 to ^4.17.23 (MODERATE) - Add resolution for fast-xml-parser ^4.5.4 (CRITICAL) - Add resolution for undici ^6.23.0 (MODERATE) - Add resolution for serialize-javascript ^7.0.3 (HIGH) Test plan: - yarn audit --level high should show 0 vulnerabilities - yarn build && yarn build:prod should complete without errors - yarn cypress run should complete without (or currently expected) errors @RM: You will need to push yarn.lock as well -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #10 from Paul Derscheid <paul.derscheid@lmscloud.de> --- Hi Kyle, if I interpret that correctly the issues you posted were new ones that occurred after I attached the first patches. Just attached a follow-up that should take care of the critical and high entries and some of the moderate ones. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #191227|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #191228|0 |1 is obsolete| | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #194284|0 |1 is obsolete| | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #11 from Kyle M Hall (khall) <kyle@bywatersolutions.com> --- Created attachment 194335 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=194335&action=edit Bug 41587: Fix critical and high severity node dependency vulnerabilities - Upgrade gulp-exec to ^5.0.0 (fixes lodash.template HIGH) - Add resolution for form-data ^2.5.4 (CRITICAL) - Add resolution for braces ^3.0.3 (HIGH) - Add resolution for qs ^6.14.1 (HIGH) Test plan: - yarn audit --level high should show 0 vulnerabilities - yarn build && yarn build:prod should complete without errors - yarn cypress run should return without (or currently expected) errors @RM: You will need to push yarn.lock as well Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #12 from Kyle M Hall (khall) <kyle@bywatersolutions.com> --- Created attachment 194336 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=194336&action=edit Bug 41587: Fix moderate severity node dependency vulnerabilities - Add resolution for micromatch ^4.0.8 - Add resolution for @cypress/request ^3.0.0 - Add resolution for js-yaml ^4.1.1 Test plan: - yarn audit --level moderate should show reduced vulnerability count - yarn build && yarn build:prod should complete without errors - yarn cypress run should complete without (or currently expected) errors @RM: You will need to push yarn.lock as well Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #13 from Kyle M Hall (khall) <kyle@bywatersolutions.com> --- Created attachment 194337 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=194337&action=edit Bug 41587: (follow-up) Fix newly reported dependency vulnerabilities - Bump minimatch dependency and resolution from ^3.0.2 to ^3.1.4 (HIGH) - Bump lodash dependency and resolution from ^4.17.12 to ^4.17.23 (MODERATE) - Add resolution for fast-xml-parser ^4.5.4 (CRITICAL) - Add resolution for undici ^6.23.0 (MODERATE) - Add resolution for serialize-javascript ^7.0.3 (HIGH) Test plan: - yarn audit --level high should show 0 vulnerabilities - yarn build && yarn build:prod should complete without errors - yarn cypress run should complete without (or currently expected) errors @RM: You will need to push yarn.lock as well Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |paul.derscheid@lmscloud.de |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |Fix node dependency release notes| |security vulnerabilities by | |upgrading packages and | |adding yarn resolutions. | |The following packages were | |updated: | | | |Direct dependency upgrades: | |- gulp-exec from ^4.0.0 to | |^5.0.0 (fixes | |lodash.template HIGH | |vulnerability) | |- lodash from ^4.17.12 to | |^4.17.23 (MODERATE) | |- minimatch from ^3.0.2 to | |^3.1.4 (HIGH) | | | |Yarn resolutions added to | |pin secure versions of | |transitive dependencies: | |- form-data ^2.5.4 | |(CRITICAL) | |- fast-xml-parser ^4.5.4 | |(CRITICAL) | |- braces ^3.0.3 (HIGH) | |- qs ^6.14.1 (HIGH) | |- serialize-javascript | |^7.0.3 (HIGH) | |- micromatch ^4.0.8 | |(MODERATE) | |- @cypress/request ^3.0.0 | |(MODERATE) | |- js-yaml ^4.1.1 (MODERATE) | |- undici ^6.23.0 (MODERATE) | | | |This brings in upstream | |security fixes for | |critical, high, and | |moderate severity | |vulnerabilities reported by | |yarn audit. No functional | |changes are expected in | |Koha beyond those provided | |by the updated | |dependencies. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@openfifth.c | |o.uk QA Contact|testopia@bugs.koha-communit |kyle@bywatersolutions.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com --- Comment #14 from Jonathan Druart <jonathan.druart@gmail.com> --- 1 sudo rm -rf /kohadevbox/koha/node_modules /kohadevbox/node_modules/ 2 sudo yarn install --modules-folder /kohadevbox/node_modules 3 prove xt/verify-yarnlock.t xt/verify-yarnlock.t .. warning lru.min@1.1.3: The engine "bun" appears to be invalid. warning lru.min@1.1.3: The engine "deno" appears to be invalid. error Lockfile does not contain pattern: "js-yaml@^3.13.1" error Found 1 errors. xt/verify-yarnlock.t .. 1/2 # Failed test 'verify yarn.lock file is updated correctly' # at xt/verify-yarnlock.t line 46. # got: '256' # expected: '0' # Looks like you failed 1 test of 2. Is this because of the 2 occurrences? % grep js-yaml package.json "js-yaml": "^3.13.1", "js-yaml": "^4.1.1", -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #15 from Jonathan Druart <jonathan.druart@gmail.com> --- diff --git a/package.json b/package.json index de76c3e98db..1f7ead66e32 100644 --- a/package.json +++ b/package.json @@ -32,7 +32,7 @@ "gulp-sass": "^5.1.0", "gulp-sourcemaps": "^2.6.1", "jquery": "^3.6.0", - "js-yaml": "^3.13.1", + "js-yaml": "^4.1.1", "lodash": "^4.17.23", "merge-stream": "^2.0.0", "minimatch": "^3.1.4", @@ -75,7 +75,6 @@ "qs": "^6.14.1", "micromatch": "^4.0.8", "@cypress/request": "^3.0.0", - "js-yaml": "^4.1.1", "fast-xml-parser": "^4.5.4", "undici": "^6.23.0", "serialize-javascript": "^7.0.3" I have done this change, then: sudo rm -rf /kohadevbox/koha/node_modules /kohadevbox/node_modules/ rm yarn.lock sudo yarn install --modules-folder /kohadevbox/node_modules prove xt/verify-yarnlock.t xt/verify-yarnlock.t .. warning lru.min@1.1.4: The engine "bun" appears to be invalid. warning lru.min@1.1.4: The engine "deno" appears to be invalid. warning sql-escaper@1.3.3: The engine "bun" appears to be invalid. warning sql-escaper@1.3.3: The engine "deno" appears to be invalid. xt/verify-yarnlock.t .. ok All tests successful. Files=1, Tests=2, 3 wallclock secs ( 0.01 usr 0.01 sys + 3.47 cusr 1.05 csys = 4.54 CPU) Result: PASS Are we supposed to rm yarn.lock? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Failed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #16 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Once I updated packages.json I didn't need to nuke yarn.lock for the process to work. Minor query is whether there's any side effects of the js-yaml update.. from my quick testing I think we're safe. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Passed QA --- Comment #17 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- I'm going to go bold and push I think.. I'll deal with any Jenkins fun that may arise. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to main Version(s)| |26.05.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #18 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Thanks for all the hard work! Pushed to main for the next 26.05.00 release as RM Assistant -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #19 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 195693 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=195693&action=edit Bug 41587: (follow-up) Remove unused imports causing webpack node: URI errors The insertData.ts spec imported query and getBasicAuthHeader directly, pulling mysql2/promise into the browser bundle. This caused webpack to fail with UnhandledSchemeError on node:buffer and node:diagnostics_channel URIs introduced by updated dependencies. Both imports were unused — all calls go through cy.task(). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 Chloé Zermatten <chloe.zermatten@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|26.05.00 |26.05.00,25.11.04 released in| | Status|Pushed to main |Pushed to stable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41587 --- Comment #20 from Chloé Zermatten <chloe.zermatten@openfifth.co.uk> --- All pushed to 25.11.x Thanks all! -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org