diff --git a/workspaces/arborist/lib/audit-report.js b/workspaces/arborist/lib/audit-report.js index 4dc6dd177c1e4..9bef84686f4b4 100644 --- a/workspaces/arborist/lib/audit-report.js +++ b/workspaces/arborist/lib/audit-report.js @@ -134,16 +134,7 @@ class AuditReport extends Map { const seen = new Set() for (const advisory of advisories) { const { name, range } = advisory - - // don't flag the exact same name/range more than once - // adding multiple advisories with the same range is fine, but no - // need to search for nodes we already would have added. const k = `${name}@${range}` - if (seen.has(k)) { - continue - } - - seen.add(k) const vuln = this.get(name) || new Vuln({ name, advisory }) if (this.has(name)) { @@ -151,44 +142,50 @@ class AuditReport extends Map { } super.set(name, vuln) - const p = [] - for (const node of this.tree.inventory.query('packageName', name)) { - if (!shouldAudit(node, this[_omit], this.filterSet)) { - continue - } + // don't flag the exact same name/range more than once + // adding multiple advisories with the same range is fine, but no + // need to search for nodes we already would have added. + if (!seen.has(k)) { + const p = [] + for (const node of this.tree.inventory.query('packageName', name)) { + if (!shouldAudit(node, this[_omit], this.filterSet)) { + continue + } - // if not vulnerable by this advisory, keep searching - if (!advisory.testVersion(node.version)) { - continue - } + // if not vulnerable by this advisory, keep searching + if (!advisory.testVersion(node.version)) { + continue + } - // we will have loaded the source already if this is a metavuln - if (advisory.type === 'metavuln') { - vuln.addVia(this.get(advisory.dependency)) - } + // we will have loaded the source already if this is a metavuln + if (advisory.type === 'metavuln') { + vuln.addVia(this.get(advisory.dependency)) + } - // already marked this one, no need to do it again - if (vuln.nodes.has(node)) { - continue - } + // already marked this one, no need to do it again + if (vuln.nodes.has(node)) { + continue + } - // haven't marked this one yet. get its dependents. - vuln.nodes.add(node) - for (const { from: dep, spec } of node.edgesIn) { - if (dep.isTop && !vuln.topNodes.has(dep)) { - this[_checkTopNode](dep, vuln, spec) - } else { + // haven't marked this one yet. get its dependents. + vuln.nodes.add(node) + for (const { from: dep, spec } of node.edgesIn) { + if (dep.isTop && !vuln.topNodes.has(dep)) { + this[_checkTopNode](dep, vuln, spec) + } else { // calculate a metavuln, if necessary - const calc = this.calculator.calculate(dep.packageName, advisory) - p.push(calc.then(meta => { - if (meta.testVersion(dep.version, spec)) { - advisories.add(meta) - } - })) + const calc = this.calculator.calculate(dep.packageName, advisory) + p.push(calc.then(meta => { + if (meta.testVersion(dep.version, spec)) { + advisories.add(meta) + } + })) + } } } + await Promise.all(p) + seen.add(k) } - await Promise.all(p) // make sure we actually got something. if not, remove it // this can happen if you are loading from a lockfile created by diff --git a/workspaces/arborist/tap-snapshots/test/audit-report.js.test.cjs b/workspaces/arborist/tap-snapshots/test/audit-report.js.test.cjs index 91d7ecffceaeb..cc1354e64c818 100644 --- a/workspaces/arborist/tap-snapshots/test/audit-report.js.test.cjs +++ b/workspaces/arborist/tap-snapshots/test/audit-report.js.test.cjs @@ -123,6 +123,15 @@ exports[`test/audit-report.js TAP all severity levels > json version 1`] = ` "severity": "high", "range": "<3.0.8 || >=4.0.0 <4.5.3" }, + { + "source": 1325, + "name": "handlebars", + "dependency": "handlebars", + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "severity": "high", + "range": "<3.0.8 || >=4.0.0 <4.5.3" + }, { "source": 755, "name": "handlebars", @@ -448,6 +457,15 @@ exports[`test/audit-report.js TAP all severity levels > json version 1`] = ` "url": "https://npmjs.com/advisories/1478", "severity": "high", "range": ">=4.1.0" + }, + { + "source": 1479, + "name": "subtext", + "dependency": "subtext", + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1479", + "severity": "high", + "range": ">=0.0.0" } ], "effects": [], @@ -558,6 +576,15 @@ exports[`test/audit-report.js TAP audit outdated nyc and mkdirp > json version 1 "severity": "high", "range": "<3.0.8 || >=4.0.0 <4.5.3" }, + { + "source": 1325, + "name": "handlebars", + "dependency": "handlebars", + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "severity": "high", + "range": "<3.0.8 || >=4.0.0 <4.5.3" + }, { "source": 755, "name": "handlebars", @@ -918,6 +945,15 @@ exports[`test/audit-report.js TAP audit outdated nyc and mkdirp with before: opt "severity": "high", "range": "<3.0.8 || >=4.0.0 <4.5.3" }, + { + "source": 1325, + "name": "handlebars", + "dependency": "handlebars", + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "severity": "high", + "range": "<3.0.8 || >=4.0.0 <4.5.3" + }, { "source": 755, "name": "handlebars", @@ -1278,6 +1314,15 @@ exports[`test/audit-report.js TAP audit outdated nyc and mkdirp with newer endpo "severity": "high", "range": "<3.0.8 || >=4.0.0 <4.5.3" }, + { + "source": 1325, + "name": "handlebars", + "dependency": "handlebars", + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "severity": "high", + "range": "<3.0.8 || >=4.0.0 <4.5.3" + }, { "source": 755, "name": "handlebars", @@ -2144,6 +2189,20 @@ Object { "versions": undefined, "vulnerableVersions": undefined, }, + Object { + "cvss": undefined, + "cwe": undefined, + "dependency": "handlebars", + "id": undefined, + "name": "handlebars", + "range": "<3.0.8 || >=4.0.0 <4.5.3", + "severity": "high", + "source": 1325, + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "versions": undefined, + "vulnerableVersions": undefined, + }, Object { "cvss": undefined, "cwe": undefined, @@ -2623,6 +2682,20 @@ Object { "versions": undefined, "vulnerableVersions": undefined, }, + Object { + "cvss": undefined, + "cwe": undefined, + "dependency": "handlebars", + "id": undefined, + "name": "handlebars", + "range": "<3.0.8 || >=4.0.0 <4.5.3", + "severity": "high", + "source": 1325, + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "versions": undefined, + "vulnerableVersions": undefined, + }, Object { "cvss": undefined, "cwe": undefined, @@ -2791,6 +2864,20 @@ Object { "versions": undefined, "vulnerableVersions": undefined, }, + Object { + "cvss": undefined, + "cwe": undefined, + "dependency": "handlebars", + "id": undefined, + "name": "handlebars", + "range": "<3.0.8 || >=4.0.0 <4.5.3", + "severity": "high", + "source": 1325, + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "versions": undefined, + "vulnerableVersions": undefined, + }, Object { "cvss": undefined, "cwe": undefined, @@ -3270,6 +3357,20 @@ Object { "versions": undefined, "vulnerableVersions": undefined, }, + Object { + "cvss": undefined, + "cwe": undefined, + "dependency": "handlebars", + "id": undefined, + "name": "handlebars", + "range": "<3.0.8 || >=4.0.0 <4.5.3", + "severity": "high", + "source": 1325, + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "versions": undefined, + "vulnerableVersions": undefined, + }, Object { "cvss": undefined, "cwe": undefined, @@ -3458,6 +3559,20 @@ Object { "versions": undefined, "vulnerableVersions": undefined, }, + Object { + "cvss": undefined, + "cwe": undefined, + "dependency": "handlebars", + "id": undefined, + "name": "handlebars", + "range": "<3.0.8 || >=4.0.0 <4.5.3", + "severity": "high", + "source": 1325, + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "versions": undefined, + "vulnerableVersions": undefined, + }, Object { "cvss": undefined, "cwe": undefined, @@ -3927,6 +4042,20 @@ Object { "versions": undefined, "vulnerableVersions": undefined, }, + Object { + "cvss": undefined, + "cwe": undefined, + "dependency": "handlebars", + "id": undefined, + "name": "handlebars", + "range": "<3.0.8 || >=4.0.0 <4.5.3", + "severity": "high", + "source": 1325, + "title": "Prototype Pollution", + "url": "https://npmjs.com/advisories/1325", + "versions": undefined, + "vulnerableVersions": undefined, + }, Object { "cvss": undefined, "cwe": undefined,