Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update vulnerable dependencies #2273

Merged
merged 1 commit into from
Nov 9, 2023
Merged

chore(deps): update vulnerable dependencies #2273

merged 1 commit into from
Nov 9, 2023

Conversation

kittaakos
Copy link
Contributor

@kittaakos kittaakos commented Nov 2, 2023

Motivation

To fix security issues.

Change description

Other information

TODOs:
@kittaakos will verify:

@rhpco, please help with the security review. Thank you! If all works correctly, IDE2 will be down to zero security alerts.

Current behavior:

% yarn audit
yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Babel vulnerable to arbitrary code execution when compiling  │
│               │ specifically crafted malicious code                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ @babel/traverse                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=7.23.2                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @theia/cli                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @theia/cli > @theia/application-manager > @babel/core >      │
│               │ @babel/traverse                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1094446                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Babel vulnerable to arbitrary code execution when compiling  │
│               │ specifically crafted malicious code                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ @babel/traverse                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=7.23.2                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @theia/cli                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @theia/cli > @theia/application-manager > @babel/core >      │
│               │ @babel/helpers > @babel/traverse                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1094446                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ crypto-js PBKDF2 1,000 times weaker than specified in 1993   │
│               │ and 1.3M times weaker than current standard                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ crypto-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.2.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ arduino-ide-extension                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ arduino-ide-extension > auth0-js > idtoken-verifier >        │
│               │ crypto-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1094468                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ crypto-js PBKDF2 1,000 times weaker than specified in 1993   │
│               │ and 1.3M times weaker than current standard                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ crypto-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.2.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ electron-app                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ electron-app > arduino-ide-extension > auth0-js >            │
│               │ idtoken-verifier > crypto-js                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1094468                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 2046
Severity: 4 Critical
✨  Done in 1.95s.

Expected behavior:

% yarn audit
yarn audit v1.22.19
0 vulnerabilities found - Packages audited: 2046
✨  Done in 2.26s.

GitHub Advisory Database refs:

Upstream: eclipse-theia/theia#13024

Reviewer checklist

  • PR addresses a single concern.
  • The PR has no duplicates (please search among the Pull Requests before creating one)
  • PR title and description are properly filled.
  • Docs have been added / updated (for bug fixes / features)

@kittaakos kittaakos added the topic: security Related to the protection of user data label Nov 2, 2023
@kittaakos kittaakos requested a review from rhpco November 2, 2023 08:36
@kittaakos kittaakos self-assigned this Nov 2, 2023
- Forced the resolution of `@babel/[email protected]` brought in by
`@theia/cli`. (eclipse-theia/theia#13024)
- Updated to `[email protected]` to transitively pull `[email protected]` in
with the security fixes.

GitHub Advisory Database refs:
 - GHSA-67hx-6x53-jw92
 - GHSA-xwcq-pm8m-c4vf

Signed-off-by: Akos Kitta <[email protected]>
Copy link

@rhpco rhpco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@per1234 per1234 added topic: infrastructure Related to project infrastructure type: imperfection Perceived defect in any part of project labels Nov 3, 2023
@kittaakos
Copy link
Contributor Author

@kittaakos will verify:

It's working with 2.2.2-snapshot-f7c6da3.

Copy link
Contributor

@francescospissu francescospissu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@kittaakos kittaakos merged commit 22a69f7 into main Nov 9, 2023
23 checks passed
@kittaakos kittaakos deleted the dependabot branch November 9, 2023 10:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
topic: infrastructure Related to project infrastructure topic: security Related to the protection of user data type: imperfection Perceived defect in any part of project
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants