Contrib.social

Update NPM packages flagged by yarn audit

Open on Drupal.org β†’
Created on 12 August 2024, 3 months ago
Updated 5 September 2024, 3 months ago

Problem/Motivation

The braces NPM package, a dependency used in Drupal's core JavaScript tooling, has a known vulnerability in versions earlier than 3.0.3. This vulnerability allows for uncontrolled resource consumption, potentially leading to memory exhaustion and a crash. Specifically, when parsing input with "imbalanced braces," the package may enter an infinite loop, allocating heap memory without releasing it.

This issue was identified by a Dependabot alert, which could not automatically update the package due to the absence of a package.json in the web/core/ directory. The vulnerability needs to be addressed to ensure the security and stability of Drupal's core dependencies.

Steps to reproduce

  1. Use a version of Drupal that depends on braces version 3.0.2 or earlier.
  2. Parse input with "imbalanced braces" using the braces package.
  3. Observe that the process consumes increasing amounts of memory and eventually crashes due to memory exhaustion.

Proposed resolution

  • Update the braces package in Drupal's dependencies to version 3.0.3 by modifying the package.json and yarn.lock files.
  • Ensure that all transitive dependencies are also using braces version 3.0.3.
  • Verify that the issue is resolved by testing the behavior with inputs that previously caused memory exhaustion.
  • Submit a patch to apply these changes to the Drupal core repository.

Remaining tasks

  • Apply the braces update to the relevant branches (10.3.x).
  • Verify that the update does not introduce any regressions or new issues.
  • Submit the patch for review.
  • Communicate with the maintainers to ensure the patch is merged into the appropriate Drupal core versions.
πŸ“Œ Task
Status

Fixed

Version

11.0 πŸ”₯

Component
JavascriptΒ  β†’

Last updated 2 days ago

Created by

hossein.daliran

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @hossein.daliran
  • Comment 3 months ago β†’
    hossein.daliran

    Patch for 10.2.x

  • Status changed to Needs work 3 months ago
  • Comment 3 months ago β†’
    cilefen
  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom longwave UK

    yarn audit also reports problems with ws, let's fix that at the same time.

  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom longwave UK

    Note also that this only affects development dependencies and can't be exploited at runtime, the Drupal Security Team will not be issuing a security release or advisory about this change.

  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje

    Spokje β†’ changed the visibility of the branch 3467599-update-braces-npm to hidden.

  • Merge request !9187Resolve #3467599 "Update braces and ws" β†’ (Closed) created by spokje
  • Assigned to spokje
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje

    Oh, the joy of supporting multiple versions of core...
    This looks like this is going to be a different MR for at least 11.x/10.x and perhaps even one for every minor version.

    Lets start with 11.x.

    Firstly in yarn v4-land apparently yarn audit now became yarn npm audit -R.

    On 11.x that gives us:

    $ yarn npm audit -R
β”œβ”€ @humanwhocodes/config-array
β”‚  β”œβ”€ ID: @humanwhocodes/config-array (deprecation)
β”‚  β”œβ”€ Issue: Use @eslint/config-array instead
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 0.11.14
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 0.11.14
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ eslint@npm:8.57.0
β”‚
β”œβ”€ @humanwhocodes/object-schema
β”‚  β”œβ”€ ID: @humanwhocodes/object-schema (deprecation)
β”‚  β”œβ”€ Issue: Use @eslint/object-schema instead
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 2.0.3
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 2.0.3
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ @humanwhocodes/config-array@npm:0.11.14
β”‚
β”œβ”€ braces
β”‚  β”œβ”€ ID: 1098094
β”‚  β”œβ”€ Issue: Uncontrolled resource consumption in braces
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-grv7-fg5c-xmjg
β”‚  β”œβ”€ Severity: high
β”‚  β”œβ”€ Vulnerable Versions: <3.0.3
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 3.0.2
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ chokidar@npm:3.6.0
β”‚
β”œβ”€ glob
β”‚  β”œβ”€ ID: glob (deprecation)
β”‚  β”œβ”€ Issue: Glob versions prior to v9 are no longer supported
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 8.1.0
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 8.1.0
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ mocha@npm:10.3.0
β”‚
β”œβ”€ inflight
β”‚  β”œβ”€ ID: inflight (deprecation)
β”‚  β”œβ”€ Issue: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 1.0.6
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 1.0.6
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ glob@npm:7.2.3
β”‚
β”œβ”€ rimraf
β”‚  β”œβ”€ ID: rimraf (deprecation)
β”‚  β”œβ”€ Issue: Rimraf versions prior to v4 are no longer supported
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 3.0.2
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 3.0.2
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ flat-cache@npm:3.2.0
β”‚
└─ tar
   β”œβ”€ ID: 1097493
   β”œβ”€ Issue: Denial of service while parsing a tar file due to lack of folders count validation
   β”œβ”€ URL: https://github.com/advisories/GHSA-f5x3-32g6-xq36
   β”œβ”€ Severity: moderate
   β”œβ”€ Vulnerable Versions: <6.2.1
   β”‚
   β”œβ”€ Tree Versions
   β”‚  └─ 6.2.0
   β”‚
   └─ Dependents
      └─ node-gyp@npm:10.0.1

    If we snip the deprecations that leaves us with:

    $ yarn npm audit -R
β”œβ”€ braces
β”‚  β”œβ”€ ID: 1098094
β”‚  β”œβ”€ Issue: Uncontrolled resource consumption in braces
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-grv7-fg5c-xmjg
β”‚  β”œβ”€ Severity: high
β”‚  β”œβ”€ Vulnerable Versions: <3.0.3
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 3.0.2
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ chokidar@npm:3.6.0
β”‚
β”‚
β”œβ”€ rimraf
β”‚  β”œβ”€ ID: rimraf (deprecation)
β”‚  β”œβ”€ Issue: Rimraf versions prior to v4 are no longer supported
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 3.0.2
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 3.0.2
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ flat-cache@npm:3.2.0
β”‚
└─ tar
   β”œβ”€ ID: 1097493
   β”œβ”€ Issue: Denial of service while parsing a tar file due to lack of folders count validation
   β”œβ”€ URL: https://github.com/advisories/GHSA-f5x3-32g6-xq36
   β”œβ”€ Severity: moderate
   β”œβ”€ Vulnerable Versions: <6.2.1
   β”‚
   β”œβ”€ Tree Versions
   β”‚  └─ 6.2.0
   β”‚
   └─ Dependents
      └─ node-gyp@npm:10.0.1
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje
  • Pipeline finished with Success
    3 months ago
    Total: 1034s
    #252343
  • Issue was unassigned.
  • Status changed to Needs review 3 months ago
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje

    So the 11.x-branch didn't break tests.

    Let the backport-games begin!

  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje
  • Status changed to Needs work 3 months ago
  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    if I understand the thread a piece of the change should be reverted.

  • Status changed to Needs review 3 months ago
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje

    Thanks @smustgrave, wasn't pinged on the comment on the MR.

    Replied inline, back to NR to await the answer of @longwave.

  • Comment 3 months ago β†’
    System Message
  • Merge request !9243Flagged js dependencies 11.x β†’ (Closed) created by spokje
  • Pipeline finished with Success
    3 months ago
    Total: 849s
    #257441
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje

    Opened a new branch using the yarn up -R <name> method, not using resolutions.

  • Status changed to RTBC 3 months ago
  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Reviewed the MR with just the lock file and seems straight forward. Didn't cause any issues locally updating.

  • Comment 3 months ago β†’
    System Message
  • Comment 3 months ago β†’
    System Message
    • nod_ β†’ committed 46ee7302 on 11.x 
      Issue #3467599 by Spokje, hossein.daliran, longwave, smustgrave: Update...
  • Status changed to Downport 3 months ago
  • Comment 3 months ago β†’
    πŸ‡«πŸ‡·France nod_ Lille

    11.x in, next branch is 11.0.x :)

    Committed 46ee730 and pushed to 11.x. Thanks!

  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje

    11.0.x:

    $ yarn npm audit -R
β”œβ”€ @humanwhocodes/config-array
β”‚  β”œβ”€ ID: @humanwhocodes/config-array (deprecation)
β”‚  β”œβ”€ Issue: Use @eslint/config-array instead
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 0.11.14
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 0.11.14
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ eslint@npm:8.57.0
β”‚
β”œβ”€ @humanwhocodes/object-schema
β”‚  β”œβ”€ ID: @humanwhocodes/object-schema (deprecation)
β”‚  β”œβ”€ Issue: Use @eslint/object-schema instead
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 2.0.3
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 2.0.3
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ @humanwhocodes/config-array@npm:0.11.14
β”‚
β”œβ”€ braces
β”‚  β”œβ”€ ID: 1098094
β”‚  β”œβ”€ Issue: Uncontrolled resource consumption in braces
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-grv7-fg5c-xmjg
β”‚  β”œβ”€ Severity: high
β”‚  β”œβ”€ Vulnerable Versions: <3.0.3
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 3.0.2
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ chokidar@npm:3.6.0
β”‚
β”œβ”€ ejs
β”‚  β”œβ”€ ID: 1098366
β”‚  β”œβ”€ Issue: ejs lacks certain pollution protection
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: <3.1.10
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 3.1.8
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ nightwatch@npm:2.4.2 [87c89]
β”‚
β”œβ”€ glob
β”‚  β”œβ”€ ID: glob (deprecation)
β”‚  β”œβ”€ Issue: Glob versions prior to v9 are no longer supported
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 7.2.0
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 7.2.0
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ mocha@npm:9.2.2
β”‚
β”œβ”€ inflight
β”‚  β”œβ”€ ID: inflight (deprecation)
β”‚  β”œβ”€ Issue: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 1.0.6
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 1.0.6
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ glob@npm:7.2.3
β”‚
β”œβ”€ loupe
β”‚  β”œβ”€ ID: loupe (deprecation)
β”‚  β”œβ”€ Issue: Please upgrade to 2.3.7 which fixes GHSA-4q6p-r6v2-jvc5
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 2.3.4
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 2.3.4
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ @nightwatch/chai@npm:5.0.2
β”‚
β”œβ”€ micromatch
β”‚  β”œβ”€ ID: 1098615
β”‚  β”œβ”€ Issue: Regular Expression Denial of Service (ReDoS) in micromatch
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-952p-6rrq-rcjv
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: <=4.0.7
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  β”œβ”€ 4.0.5
β”‚  β”‚  └─ 4.0.7
β”‚  β”‚
β”‚  └─ Dependents
β”‚     β”œβ”€ cspell-glob@npm:8.13.0
β”‚     └─ stylelint@npm:15.11.0
β”‚
β”œβ”€ rimraf
β”‚  β”œβ”€ ID: rimraf (deprecation)
β”‚  β”œβ”€ Issue: Rimraf versions prior to v4 are no longer supported
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: 3.0.2
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 3.0.2
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ flat-cache@npm:3.2.0
β”‚
β”œβ”€ tar
β”‚  β”œβ”€ ID: 1097493
β”‚  β”œβ”€ Issue: Denial of service while parsing a tar file due to lack of folders count validation
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-f5x3-32g6-xq36
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: <6.2.1
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 6.2.0
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ node-gyp@npm:10.0.1
β”‚
└─ ws
   β”œβ”€ ID: 1098392
   β”œβ”€ Issue: ws affected by a DoS when handling a request with many HTTP headers
   β”œβ”€ URL: https://github.com/advisories/GHSA-3h5v-q93c-6h6q
   β”œβ”€ Severity: high
   β”œβ”€ Vulnerable Versions: >=8.0.0 <8.17.1
   β”‚
   β”œβ”€ Tree Versions
   β”‚  └─ 8.15.1
   β”‚
   └─ Dependents
      └─ selenium-webdriver@npm:4.3.1

    That means we want to update:

    $ yarn npm audit -R
β”œβ”€ braces
β”‚  β”œβ”€ ID: 1098094
β”‚  β”œβ”€ Issue: Uncontrolled resource consumption in braces
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-grv7-fg5c-xmjg
β”‚  β”œβ”€ Severity: high
β”‚  β”œβ”€ Vulnerable Versions: <3.0.3
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 3.0.2
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ chokidar@npm:3.6.0
β”‚
β”œβ”€ ejs
β”‚  β”œβ”€ ID: 1098366
β”‚  β”œβ”€ Issue: ejs lacks certain pollution protection
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: <3.1.10
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 3.1.8
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ nightwatch@npm:2.4.2 [87c89]
β”‚
β”œβ”€ micromatch
β”‚  β”œβ”€ ID: 1098615
β”‚  β”œβ”€ Issue: Regular Expression Denial of Service (ReDoS) in micromatch
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-952p-6rrq-rcjv
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: <=4.0.7
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  β”œβ”€ 4.0.5
β”‚  β”‚  └─ 4.0.7
β”‚  β”‚
β”‚  └─ Dependents
β”‚     β”œβ”€ cspell-glob@npm:8.13.0
β”‚     └─ stylelint@npm:15.11.0
β”‚
β”œβ”€ tar
β”‚  β”œβ”€ ID: 1097493
β”‚  β”œβ”€ Issue: Denial of service while parsing a tar file due to lack of folders count validation
β”‚  β”œβ”€ URL: https://github.com/advisories/GHSA-f5x3-32g6-xq36
β”‚  β”œβ”€ Severity: moderate
β”‚  β”œβ”€ Vulnerable Versions: <6.2.1
β”‚  β”‚
β”‚  β”œβ”€ Tree Versions
β”‚  β”‚  └─ 6.2.0
β”‚  β”‚
β”‚  └─ Dependents
β”‚     └─ node-gyp@npm:10.0.1
β”‚
└─ ws
   β”œβ”€ ID: 1098392
   β”œβ”€ Issue: ws affected by a DoS when handling a request with many HTTP headers
   β”œβ”€ URL: https://github.com/advisories/GHSA-3h5v-q93c-6h6q
   β”œβ”€ Severity: high
   β”œβ”€ Vulnerable Versions: >=8.0.0 <8.17.1
   β”‚
   β”œβ”€ Tree Versions
   β”‚  └─ 8.15.1
   β”‚
   └─ Dependents
      └─ selenium-webdriver@npm:4.3.1
  • Merge request !9305Resolve #3467599 "11.0.x" β†’ (Closed) created by spokje
  • Assigned to spokje
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje
  • Pipeline finished with Success
    3 months ago
    Total: 2145s
    #261771
  • Pipeline finished with Success
    3 months ago
    Total: 496s
    #261801
  • Status changed to Needs review 3 months ago
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje

    Things got more involved with this one, after a $ yarn up -R braces ejs micromatch tar ws it turned out braces, ejs and micromatch we're not updated.

    Next up, I tried removing the entry for each of them in yarn.lock and doing a yarn install.
    That worked for micromatch, however that has a CVE stating we need to go 3.0.8 or higher (See https://github.com/advisories/GHSA-952p-6rrq-rcjv). However the latest release is 3.0.7 (See https://www.npmjs.com/package/micromatch).
    So this one still gets flagged by yarn audit -R, but as far as I can tell there's a mistake made in the CVE.

    Finally: braces, ejs could only be bumped by using resolutions. I know this is not optimal, but at least this will only happen in version branches and not in main/11.x

    Also they all have resolutions already, due to having an ancient nightwatch version.

  • Issue was unassigned.
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡±Netherlands spokje
  • Status changed to RTBC 3 months ago
  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    The reasoning in #25 I believe makes sense (js is not my strong area). But 11.0.x tests didn't break and updates for 11.x seem accepted.

  • Comment 3 months ago β†’
    System Message
  • Comment 3 months ago β†’
    System Message
    • nod_ β†’ committed cf5738bc on 11.0.x 
      Issue #3467599 by Spokje, hossein.daliran, smustgrave, longwave, nod_:...
  • Status changed to Fixed 3 months ago
  • Comment 3 months ago β†’
    πŸ‡«πŸ‡·France nod_ Lille

    branches below have a different yarn version/lock file format so let's to that in a different issue if necessary and leave this one here.

    Committed cf5738b and pushed to 11.0.x. Thanks!

  • Comment 3 months ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024