Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability with VuePress 1.8.2 #2946

Open
1 task done
frudolph77 opened this issue Nov 14, 2021 · 3 comments
Open
1 task done

Security vulnerability with VuePress 1.8.2 #2946

frudolph77 opened this issue Nov 14, 2021 · 3 comments

Comments

@frudolph77
Copy link

  • I confirm that this is an issue rather than a question.

Bug report

Steps to reproduce

$ npx create-vuepress-site
$ cd docs
$ npm install
...

found 12 vulnerabilities (7 moderate, 5 high)
  run `npm audit fix` to fix them, or `npm audit` for details
$ npm audit
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpackbar > wrap-ansi >         │
│               │ string-width > strip-ansi > ansi-regex                       │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > yargs >     │
│               │ cliui > string-width > strip-ansi > ansi-regex               │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > yargs >     │
│               │ cliui > wrap-ansi > string-width > strip-ansi > ansi-regex   │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > yargs >     │
│               │ cliui > strip-ansi > ansi-regex                              │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpackbar > wrap-ansi >         │
│               │ strip-ansi > ansi-regex                                      │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > yargs >     │
│               │ cliui > wrap-ansi > strip-ansi > ansi-regex                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Inefficient Regular Expression Complexity in nth-check       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ nth-check                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core >                                  │
│               │ optimize-css-assets-webpack-plugin > cssnano >               │
│               │ cssnano-preset-default > postcss-svgo > svgo > css-select >  │
│               │ nth-check                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-rp65-9cf3-cjxr            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > chokidar > glob-parent           │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > webpack-dev-server > chokidar >  │
│               │ glob-parent                                                  │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > @vuepress/shared-utils > globby  │
│               │ > fast-glob > glob-parent                                    │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > @vuepress/markdown >             │
│               │ @vuepress/shared-utils > globby > fast-glob > glob-parent    │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > @vuepress/core > @vuepress/markdown-loader >      │
│               │ @vuepress/markdown > @vuepress/shared-utils > globby >       │
│               │ fast-glob > glob-parent                                      │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-ww39-953v-wcq6            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 12 vulnerabilities (7 moderate, 5 high) in 1232 scanned packages
  12 vulnerabilities require manual review. See the full report for details.

What is expected?

Zero security vulnerability

What is actually happening?

Twelve security vulnerability

Other relevant information

  • Output of npx vuepress info in my VuePress project:
Environment Info:

  System:
    OS: Linux 5.4 Ubuntu 18.04.6 LTS (Bionic Beaver)
    CPU: (8) x64 Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz
  Binaries:
    Node: 14.16.0 - ~/.nvm/versions/node/v14.16.0/bin/node
    Yarn: 1.22.5 - /usr/bin/yarn
    npm: 6.14.11 - ~/.nvm/versions/node/v14.16.0/bin/npm
  Browsers:
    Chrome: 95.0.4638.69
    Firefox: 94.0
  npmPackages:
    @vuepress/core:  1.8.2 
    @vuepress/theme-default:  1.8.2 
    vuepress: ^1.5.3 => 1.8.2 
  npmGlobalPackages:
    vuepress: Not Found

If have deep dived into the modules

  • Regarding chalk
[email protected] /home/.../VuePress/docs
└─┬ [email protected]
  ├─┬ @vuepress/[email protected]
  │ ├─┬ [email protected]
  │ │ └─┬ [email protected]
  │ │   └─┬ [email protected]
  │ │     └── [email protected]  deduped
  │ ├─┬ [email protected]
  │ │ ├─┬ [email protected]
  │ │ │ └── [email protected] 
  │ │ └─┬ [email protected]
  │ │   ├─┬ [email protected]
  │ │   │ └─┬ [email protected]
  │ │   │   └── [email protected] 
  │ │   └─┬ [email protected]
  │ │     └─┬ [email protected]
  │ │       └── [email protected] 
  │ └─┬ [email protected]
  │   └─┬ [email protected]
  │     └─┬ [email protected]
  │       └── [email protected] 
  └─┬ [email protected]
    └─┬ [email protected]
      ├─┬ [email protected]
      │ └─┬ [email protected]
      │   └─┬ [email protected]
      │     └── [email protected] 
      ├─┬ [email protected]
      │ └─┬ [email protected]
      │   └── [email protected] 
      └─┬ [email protected]
        └─┬ [email protected]
          └─┬ [email protected]
            └── [email protected] 

Newest Version of chalk is 4.1.2, and has no dependency to has-ansi since at least 2.0.0
All other vulnerabilities should be fix with newer versions of webpack-dev-server and webpackbar.
All the libs denpending on ansi-regex are using a newer versions.

  • Regarding glob-parent
[email protected] /home/.../VuePress/docs
└─┬ [email protected]
  └─┬ @vuepress/[email protected]
    ├─┬ @vuepress/[email protected]
    │ └─┬ [email protected]
    │   └─┬ [email protected]
    │     └── [email protected]  deduped
    ├─┬ [email protected]
    │ └── [email protected] 
    ├─┬ [email protected]
    │ └── [email protected]  deduped
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected] 

Updating globby,chokidar,copy-webpack-plugin should fix it, libs denpending on glob-parent are using a newer versions.

@frudolph77
Copy link
Author

With node v16.13.0 it's even worse:

$ npm install
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.

added 1248 packages, and audited 1249 packages in 27s

80 packages are looking for funding
  run `npm fund` for details

30 vulnerabilities (14 moderate, 16 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.


$ npm audit
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/cliui/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/cliui/node_modules/strip-ansi
  node_modules/wrap-ansi/node_modules/strip-ansi
  node_modules/yargs/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/cliui
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/yargs
        webpack-dev-server  2.0.0-beta - 3.11.3
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of yargs
        node_modules/webpack-dev-server
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cliui/node_modules/string-width
    node_modules/wrap-ansi/node_modules/string-width
    node_modules/yargs/node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/wrap-ansi
        webpackbar  3.0.0-0 - 3.2.0
        Depends on vulnerable versions of wrap-ansi
        node_modules/webpackbar

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    @vuepress/core  <=1.8.2
    Depends on vulnerable versions of chokidar
    node_modules/@vuepress/core
      vuepress  1.0.0-alpha.0 - 1.8.2
      Depends on vulnerable versions of @vuepress/core
      node_modules/vuepress
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 3.11.3
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
      @vuepress/shared-utils  *
      Depends on vulnerable versions of globby
      node_modules/@vuepress/shared-utils
        @vuepress/markdown  <=1.8.2
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/@vuepress/markdown
          @vuepress/markdown-loader  *
          Depends on vulnerable versions of @vuepress/markdown
          node_modules/@vuepress/markdown-loader
        @vuepress/plugin-register-components  <=1.8.2
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/@vuepress/plugin-register-components
        vuepress-plugin-container  >=2.1.5
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/vuepress-plugin-container

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin

30 vulnerabilities (14 moderate, 16 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Unfortunately npm audit fix wont fix anything because of an open issue @npm/cli

@ulivz ulivz pinned this issue Dec 18, 2021
@MrWook
Copy link

MrWook commented Feb 9, 2022

I needed to dig deep to get the information that i wanted so here is what i found:
There is already a open Pull request #2690 since 2020
But they are all updated in the next major release https://github.com/vuepress/vuepress-next

@bn-l
Copy link

bn-l commented Mar 28, 2024

Just FYI this repo is deprecated and will continue to accrue security and dependency deprecation issues.

From the readme:

VuePress is now in maintenance mode. For a next-gen Vue-based SSG built on top of Vue 3 + Vite, check out VitePress.

It is frustrating that a google for vuepress goes to vuepress 1.x and there is no clear mention you are on a deprecated project. Almost like putting the gun in your hand, pointing it at your foot and saying "you should be more careful!"

This is "vuepress-next": https://v2.vuepress.vuejs.org/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants