Problem/Motivation

In #3467599: Update NPM packages flagged by yarn audit we discovered some of our NPM packages are being flagged by yarn audit for having CVEs.
We fixed the 11.x and 11.0.x branches in that issue.

branches below have a different yarn version/lock file format so let's to that in a different issue if necessary and leave this one here.

Thus spoketh @nod in 3467599-30

Although the security of Drupal itself isn't compromised:

Note also that this only affects development dependencies and can't be exploited at runtime, the Drupal Security Team will not be issuing a security release or advisory about this change.

Thus spoketh @longwave in 3467599-5

I think we still want to fix this in the active D10-branches as well, since a security scan might alert about these packages.

Steps to reproduce

yarn audit

Proposed resolution

Bump the versions of flagged NPM dependencies, where preferable by removing the entry for each of them in yarn.lock and doing a yarn install.
If that doesn't work, use resolutions

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3469840

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

Spokje created an issue. See original summary.

Spokje opened merge request !9311

spokje’s picture

spokje
Primary language Dutch
commented

For 10.4.x:

$ yarn audit
yarn audit v1.22.22
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ ejs lacks certain pollution protection                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ejs                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.10                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nightwatch > ejs                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098366                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Uncontrolled resource consumption in braces                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ chokidar > braces                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098094                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Uncontrolled resource consumption in braces                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint > micromatch > braces                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098094                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Uncontrolled resource consumption in braces                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > cspell-glob > micromatch > braces                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098094                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Uncontrolled resource consumption in braces                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > cspell-gitignore > cspell-glob > micromatch >       │
│               │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098094                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ ws affected by a DoS when handling a request with many HTTP  │
│               │ headers                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ws                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.17.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jsdom                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jsdom > ws                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098392                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ ws affected by a DoS when handling a request with many HTTP  │
│               │ headers                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ws                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.17.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nightwatch > selenium-webdriver > ws                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098392                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service (ReDoS) in micromatch   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ micromatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint > micromatch                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098615                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service (ReDoS) in micromatch   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ micromatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > cspell-glob > micromatch                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098615                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service (ReDoS) in micromatch   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ micromatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > cspell-gitignore > cspell-glob > micromatch         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098615                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
spokje’s picture

spokje
Primary language Dutch
commented

After the MR, we left with: 

$ yarn audit
yarn audit v1.22.22
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service (ReDoS) in micromatch   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ micromatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint > micromatch                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098615                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service (ReDoS) in micromatch   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ micromatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > cspell-glob > micromatch                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098615                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service (ReDoS) in micromatch   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ micromatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > cspell-gitignore > cspell-glob > micromatch         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098615                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
3 vulnerabilities found - Packages audited: 894
Severity: 3 Moderate
Done in 1.09s.

As said in #3467599-25: Update NPM packages flagged by yarn audit by me:

That worked for micromatch, however that has a CVE stating we need to go 3.0.8 or higher (See https://github.com/advisories/GHSA-952p-6rrq-rcjv). However the latest release is 3.0.7 (See https://www.npmjs.com/package/micromatch).
So this one still gets flagged by yarn audit -R, but as far as I can tell there's a mistake made in the CVE.

If not, micromatch hasn't had a new release since May 2024, so there's no indication this will be fixed there soon.
That would have been a reason to stall this issue until that would happen, but as said, I don't think it will in the foreseeable future.

So let's roll with what we got in here.

Spokje opened merge request !9313

spokje’s picture

spokje
Primary language Dutch
commented

For 10.3.x:

Basically the same as #3469840-3: Update NPM packages flagged by yarn audit for 10.4.x and 10.3.x and #3469840-4: Update NPM packages flagged by yarn audit for 10.4.x and 10.3.x, diff from the 10.4.x-MR didn't apply cleanly, but otherwise we should be good with the code>10.3.x-MR.

spokje’s picture

spokje
Primary language Dutch
commented
Status: Active » Needs review
spokje’s picture

spokje
Primary language Dutch
commented
Assigned: spokje » Unassigned
smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

Since same changes were accepted for 11.x and 11.0.x sure these are fine.

  • nod_ committed 48b3765a on 10.4.x 
    Issue #3469840 by Spokje: Update NPM packages flagged by yarn audit for...

nod_ closed merge request !9311

nod_ closed merge request !9313

  • nod_ committed d69ed7d4 on 10.3.x 
    Issue #3469840 by Spokje: Update NPM packages flagged by yarn audit for...
nod_’s picture

nod_
Primary language French
Location Lille
commented
Version: 10.4.x-dev » 10.3.x-dev
Status: Reviewed & tested by the community » Fixed

Committed 48b3765 and pushed to 10.4.x. Thanks!
Committed d69ed7d and pushed to 10.3.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.