Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities (debug <4.3.0) (phin <3.7.1) (got <11.8.5) #1

Open
jeunjetta opened this issue May 5, 2024 · 1 comment
Open

Security vulnerabilities (debug <4.3.0) (phin <3.7.1) (got <11.8.5) #1

jeunjetta opened this issue May 5, 2024 · 1 comment

Comments

@jeunjetta
Copy link

Local npm install of electron on Linux mint came up with these warnings that are pretty serious, and "npm audit fix" doesn't help:

10 vulnerabilities (6 moderate, 4 high)

# npm audit report

debug  <=2.6.8
**Severity: high**
debug Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-9vvw-cc9w-f27h
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
No fix available
node_modules/aframe/node_modules/debug
  aframe  >=0.6.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of three-bmfont-text
  node_modules/aframe
    3d-force-graph-vr  >=1.4.3
    Depends on vulnerable versions of aframe
    node_modules/3d-force-graph-vr
      react-force-graph  *
      Depends on vulnerable versions of 3d-force-graph-vr
      node_modules/react-force-graph

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/nice-color-palettes/node_modules/got
  nice-color-palettes  >=3.0.0
  Depends on vulnerable versions of got
  node_modules/nice-color-palettes
    three-bmfont-text  >=3.0.0
    Depends on vulnerable versions of nice-color-palettes
    node_modules/three-bmfont-text

phin  <3.7.1
Severity: moderate
phin may include sensitive headers in subsequent requests after redirect - https://github.com/advisories/GHSA-x565-32qp-m3vf
fix available via `npm audit fix`
node_modules/phin
  load-bmfont  >=1.4.0
  Depends on vulnerable versions of phin
  node_modules/load-bmfont

I've edited the lock file and made all the references to the debug package to be version 4.3.4
thinkmachine/electron/package-lock.json

It seemed to install ok after that but I haven't had time to address the other two issues yet. I only ran it briefly in dev mode and saw a few debug errors being reported. Still unsure if the version dependencies were immaterial or legit.

FYI, the worst one was really old, and pointing to repository that has not been updated in 7 years.
Line 2295 when viewed in github (strangely line 2275 when viewed in my vscode copy):

"node_modules/aframe/node_modules/debug": {
"version": "2.2.0",
"resolved": "git+ssh://[email protected]/ngokevin/debug.git#ef5f8e66d49ce8bc64c6f282c15f8b7164409e3a"
},

Anything lower than 4.3.1 still gets reported.
debug 4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - GHSA-gxpj-cx7g-858c

I've attached the edited file. It only contains a fix for debug.
package-lock.json

Summary:

  1. The debug dependencies looks fixable (just forcing all instances to use at least 4.3.4 in the lock file)
  2. The phin package has been deprecated. Not sure if you can chose an equivalent alternative package maybe?
  3. The got package i haven't looked in to yet

PS. Thank you for creating this tool. The world needs it! :)
It makes the usual 2d hierarchical mind maps and knowledge graphs look like children's toys ;)
@themaximalist
Copy link
Owner

Thanks @jeunjetta I'll get this fixed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeunjetta @themaximalist