Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update NPM packages to fix Prototype Pollution vulnerability #82

Open
Cheezer1656 opened this issue Apr 22, 2024 · 1 comment · May be fixed by #83
Open

Update NPM packages to fix Prototype Pollution vulnerability #82

Cheezer1656 opened this issue Apr 22, 2024 · 1 comment · May be fixed by #83

Comments

@Cheezer1656
Copy link 

# npm audit report

minimist  <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
  quote-stream  <=1.0.0
  Depends on vulnerable versions of minimist
  node_modules/quote-stream

static-eval  <=2.0.1
Severity: high
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-x9hc-rw35-f44h
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-5mjw-6jrh-hvfq
fix available via `npm audit fix --force`
Will install @magenta/[email protected], which is a breaking change
node_modules/static-eval
  static-module  <=1.5.0
  Depends on vulnerable versions of quote-stream
  Depends on vulnerable versions of static-eval
  node_modules/static-module
    cwise  >=1.0.0
    Depends on vulnerable versions of static-module
    node_modules/cwise
      ndarray-fft  >=1.0.0
      Depends on vulnerable versions of cwise
      node_modules/ndarray-fft
      ndarray-resample  *
      Depends on vulnerable versions of cwise
      Depends on vulnerable versions of ndarray-fft
      node_modules/ndarray-resample
        @magenta/music  >=1.1.14
        Depends on vulnerable versions of ndarray-resample
        node_modules/@magenta/music

8 vulnerabilities (6 moderate, 1 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
@cifkao
Copy link
Owner

cifkao commented May 23, 2024

Thanks for reporting this! However I don't think this can be solved just by updating packages. The latest version of cwise still depends on the vulnerable version of static-eval through static-module. Updating static-eval would create a dependency conflict. (Indeed, npm audit fix doesn't fix anything, and npm audit fix --force gives me an error.)

So I think this would have to be fixed in cwise by making it depend on a more recent version of static-module that doesn't have the vulnerability.

@cifkao cifkao linked a pull request May 23, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Switch from yarn to npm and block vulnerable ndarray-resample cifkao/html-midi-player
2 participants
@cifkao @Cheezer1656