Npm audit sweems to get semver wrong?

cli
triaged

(Paolo Priotto) #1

What I Wanted to Do

npm audit -> all god

What Happened Instead

npm audit reporting a vulnerability

Reproduction Steps

$ grep webpack-dev-server package-lock.json
    "webpack-dev-server": {
      "resolved": "https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-3.1.14.tgz",

$ grep webpack-dev-server package.json
    "start": "webpack-dev-server --mode=development --no-info",
    "webpack-dev-server": "3.1.14"

$ npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Missing Origin Validation

  Package         webpack-dev-server

  Patched in      >=3.1.11

  Dependency of   webpack-dev-server [dev]

  Path            webpack-dev-server

  More info       https://nodesecurity.io/advisories/725

found 1 high severity vulnerability in 8521 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Details

Isn’t 3.1.14 >=3.1.11 ???

Even more confusing, citing https://www.npmjs.com/advisories/725:

Versions of webpack-dev-server before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer’s source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Remediation

Update to version 3.1.6 or later.

Platform Info

$ npm --versions
{ 'paolos-password-safe': '1.0.0',
  npm: '6.5.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.12.0',
  openssl: '1.0.2p',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.2',
  v8: '6.2.414.66',
  zlib: '1.2.11' }
$ node -p process.platform
win32

Advisory #725 inconsistently marks affected versions
(Peter O'shaughnessy) #2

We have exactly the same issue and have not yet found a workaround. This makes our build fail and is preventing us from making a release until we find a solution. (Furthermore, webpack-dev-server is only a dev dependency so shouldn’t be a high priority issue anyway). Suggestions most welcome!


(Paolo Priotto) #3

Interesting enough, yarn audit fails with the same error.


Advisory #725 inconsistently marks affected versions
(Tom Milligan) #4

This appears to be a typo in the npm vulnerability database. Someone has typed "vulnerable_versions":"<=3.110" (rather than <=3.1.10) which is marking all versions as vulnerable. Needs to be fixed upstream by the npm audit team.

Output of yarn audit --json:

{"type":"auditAdvisory","data":{"resolution":{"id":725,"path":"webpack-dev-server","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"3.1.14","paths":["webpack-dev-server"],"dev":false,"optional":false,"bundled":false}],"id":725,"created":"2018-11-07T17:10:22.191Z","updated":"2018-12-31T18:58:12.106Z","deleted":null,"title":"Missing Origin Validation","found_by":{"link":"https://blog.cal1.cn/link","name":"Jiantao Li"},"reported_by":{"link":"https://blog.cal1.cn/link","name":"Jiantao Li"},"module_name":"webpack-dev-server","cves":["CVE-2018-14732"],"vulnerable_versions":"<=3.110","patched_versions":">=3.1.11","overview":"Versions of `webpack-dev-server` before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.","recommendation":"Update to version 3.1.6 or later.","references":"- [Sniffing Codes in Hot Module Reloading Messages\n](https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages)\n- [GitHub commit](https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10)","access":"public","severity":"high","cwe":"CWE-346","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/725"}}}

(Lars Willighagen) #5

The original commit supposedly fixing this issue isn’t included in any releases, so I suppose original confusion might come from that. v3.1.11 does have a fix for this issue, however versions v3.1.12 to v3.1.14 all seem bugfixes for the first fix in v3.1.11.

Either way, that does look like a typo.

Also, I find it a bit weird that prereleases are automatically considered unaffected.


(Diana Broeders) #6

Is mentioning this typo here the correct place to get this issue resolved?
Or should it be reported as a separate bug?

Because it is causing problems for quite some people:
https://github.com/angular/angular-cli/issues/13342
https://github.com/webpack/webpack-dev-server/issues/1615


(Diana Broeders) #7

It appears they’ve updated the advisory and fixed the typo


(Andre Eleuterio) #8

Thank you for raising this issue to the attention of the npm security team. The issue has been fixed and you should no longer face the incorrect advisory. We understand what caused the issue and will take measures in our tooling to prevent it in the future.

If you find any issues in the future please let us know and we will do our best to help.

Thank you for helping us make the npm ecosystem more secure.
Best regards,
Andre Eleuterio
npm security team


Advisory #725 inconsistently marks affected versions
(Vamsi2341992) #9

Hi,

How should the people already facing this issue fix it?

Thanks for the answer!!


(Andre Eleuterio) #10

No fix should be necessary. We updated the advisory so by running npm audit on a project with webpack-dev-server >= 3.1.11 you should no longer see the incorrect advisory. Please let us know if you still face the issue.

Best regards,
Andre Eleuterio
npm security team


(Vamsi2341992) #11

could you please let me know how to update the webpack-dev-server to a greater version?


(Erick Wilder) #12
npm install --save-dev webpack-dev-server@latest

This should do the job.


(Vamsi2341992) #13

I still get the same error, please advise:

npm WARN rollback Rolling back node-pre-gyp@0.10.0 failed (this is probably harmless): EPERM: operation not permitted, lstat ‘C:\Users\vamsi.kondaparthi\Desktop\myjava\Anjular\cmp-databinding\node_modules\fsevents\node_modules’
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {“os”:“darwin”,“arch”:“any”} (current: {“os”:“win32”,“arch”:“x64”})

  • webpack-dev-server@3.1.14
    added 39 packages from 17 contributors, updated 4 packages and audited 43619 packages in 55.587s
    found 1 high severity vulnerability
    run npm audit fix to fix them, or npm audit for details

C:\Users\vamsi.kondaparthi\Desktop\myjava\Anjular\cmp-databinding>npm audit

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

High Missing Origin Validation

Package webpack-dev-server

Patched in >=3.1.11

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > webpack-dev-server

More info https://nodesecurity.io/advisories/725

found 1 high severity vulnerability in 43619 scanned packages
1 vulnerability requires manual review. See the full report for details.


(Manishaggarwalm) #14

It is resolved by npm now


(Shwetha) #15

How?? I’m not able to fix mine…
image


(Patryk Wiśniewski ) #16

I had this issue in two projects this morning.

npm resolved this only in one, for angular 6 project with dev dependency
@angular-devkit/build-angular”: “~0.7.0”,
@angular/cli”: “~6.1.2”

Issue still occurs for the second angular 7 project with dev dep:
@angular-devkit/build-angular": “^0.11.4”,
@angular/cli”: “~7.0.2”,


(Pedro Pinto) #20

I’m still having the same issue and I’m using the Angular CLI version 7.1.14.

I run the npm install --save-dev webpack-dev-server@latest command but the error still happears.


(Lars Willighagen) #21
  • react-scripts is pinning the version and there is no release with the new version yet (merged PR)
  • @angular/cli also pins versions and has not backported the fix yet (backport PR)
  • @angular-devkit/build-angular also pins versions and there is no release with the new version yet (merged PR)

(Kat Marchán) #23

Note: I’m going to be deleting “me too” posts. They mostly add noise. If you’re still having issues, see Npm audit sweems to get semver wrong? because some packages have not updated webpack-dev-server and thus, there’s no way to fix this without removing those packages right now. This is outside our control and more of a #support issue or a bug for those individual projects.


(Shravan Kumar) #24

I’m still getting the error.

Please help me to fix this. Thanks.