Skip to content

updating the version of yargs#115

Open
shenoyguru wants to merge 1 commit intoxzyfer:masterfrom
shenoyguru:upgrading-yargs-version
Open

updating the version of yargs#115
shenoyguru wants to merge 1 commit intoxzyfer:masterfrom
shenoyguru:upgrading-yargs-version

Conversation

@shenoyguru
Copy link
Copy Markdown

@shenoyguru shenoyguru commented May 20, 2021

the current version of yargs used a version of y18n that has Prototype Pollution
issues
https://www.npmjs.com/advisories/1654
As mentioned in the abive document this has been resolved in 5.0.5 or later versions of y18n.

yargs version 17.0.1 uses the v5.0.5 of y18n which should resolve this issue

@shenoyguru
updating the version of yargs
bd121c6 
the current version of yargs used a version of y18n that has Prototype Pollution
 issues
https://www.npmjs.com/advisories/1654
As mentioned in the abive doco this has been resolved in 5.0.5 or later versions of y18n.
yargs version 17.0.1 uses the v5.0.5 of y18n which should resolve this issue
@shenoyguru
Copy link
Copy Markdown
Author

shenoyguru commented Aug 2, 2021
edited
Loading

@xzyfer could you please review this ? our project has a dependency on this and we have to whitelist this package as a result of security audit failure

@kiskoza
Copy link
Copy Markdown
Contributor

kiskoza commented Oct 7, 2021
edited
Loading

Hi. Recently I got some audit warnings coming from this package's dependencies.

How to reproduce

Create an empty folder and run the following:

yarn init --yes
yarn add sass-graph
yarn audit
Yarn output 
yarn init v1.22.4
warning The yes flag has been set. This will automatically answer yes to all questions, which may have security implications.
success Saved package.json
Done in 0.03s.
yarn add v1.22.4
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...

success Saved lockfile.
success Saved 39 new dependencies.
info Direct dependencies
└─ sass-graph@3.0.5
info All dependencies
├─ ansi-regex@4.1.0
├─ ansi-styles@3.2.1
├─ balanced-match@1.0.2
├─ brace-expansion@1.1.11
├─ camelcase@5.3.1
├─ cliui@5.0.0
├─ color-convert@1.9.3
├─ color-name@1.1.3
├─ concat-map@0.0.1
├─ decamelize@1.2.0
├─ emoji-regex@7.0.3
├─ find-up@3.0.0
├─ fs.realpath@1.0.0
├─ get-caller-file@2.0.5
├─ glob@7.2.0
├─ inflight@1.0.6
├─ inherits@2.0.4
├─ is-fullwidth-code-point@2.0.0
├─ js-base64@2.6.4
├─ locate-path@3.0.0
├─ lodash@4.17.21
├─ minimatch@3.0.4
├─ p-limit@2.3.0
├─ p-locate@3.0.0
├─ p-try@2.2.0
├─ path-exists@3.0.0
├─ path-is-absolute@1.0.1
├─ require-directory@2.1.1
├─ require-main-filename@2.0.0
├─ sass-graph@3.0.5
├─ scss-tokenizer@0.3.0
├─ set-blocking@2.0.0
├─ source-map@0.7.3
├─ strip-ansi@5.2.0
├─ which-module@2.0.0
├─ wrap-ansi@5.1.0
├─ y18n@4.0.3
├─ yargs-parser@13.1.2
└─ yargs@13.3.2
Done in 3.06s.
yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > cliui > string-width > strip-ansi >     │
│               │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1002401                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > cliui > wrap-ansi > string-width >      │
│               │ strip-ansi > ansi-regex                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1002401                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > string-width > strip-ansi > ansi-regex  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1002401                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > cliui > strip-ansi > ansi-regex         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1002401                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > cliui > wrap-ansi > strip-ansi >        │
│               │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1002401                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
5 vulnerabilities found - Packages audited: 42
Severity: 5 Moderate
Done in 0.63s.

or

npm init --yes
npm install sass-graph --save
npm audit
NPM output 
Wrote to package.json:

{
  "name": "sass-graph-vulnerability",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN sass-graph-vulnerability@1.0.0 No description
npm WARNsass-graph-vulnerability@1.0.0 No repository field.

+ sass-graph@3.0.5
added 42 packages from 51 contributors and audited 42 packages in 5.325s

2 packages are looking for funding
  run `npm fund` for details

found 5 moderate severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > cliui > string-width > strip-ansi >     │
│               │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > cliui > wrap-ansi > string-width >      │
│               │ strip-ansi > ansi-regex                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > string-width > strip-ansi > ansi-regex  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > cliui > strip-ansi > ansi-regex         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sass-graph                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sass-graph > yargs > cliui > wrap-ansi > strip-ansi >        │
│               │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 5 moderate severity vulnerabilities in 42 scanned packages
  5 vulnerabilities require manual review. See the full report for details.

The fix that needs to be applied

  • Update yargs dependency to ^17.0.0 (preferably ^17.2.1)
  • Go through the changelog of yargs looking for breaking changes
  • Update minimum node version to 12 (yargs requires >=12 so this package should too)
  • Remove old versions from .travis.yml file and add newer node versions (15 & 16)

(See diff on my branch)

Testing the changes

I ran the tests on these node versions and both npm test and ./bin/sassgraph descendents test/fixtures test/fixtures/simple/index.scss looked good

  • 12.22.6
  • 13.14.0
  • 14.18.0
  • 15.14.0
  • 16.10.0

@shenoyguru Could you update the minimum node version and travis config too? I could open a new PR if you don't want to deal with it.

@xzyfer Do you need any help to merge in and release a new verion?

Edit: Btw, there's more issues / pull requests trying to solve similar issues: #114 & #112, all using or suggesting older yargs version

@kiskoza kiskoza mentioned this pull request Oct 7, 2021
Closed
@xzyfer
Copy link
Copy Markdown
Owner

xzyfer commented Oct 8, 2021

Thanks for this.

Do you need any help to merge in and release a new verion?
@kiskoza the more complete the PR is i.e. the things you've mentioned above, the easier it'll be for me to find the time to get this released since this package is essentially in maintenance mode.

@kiskoza kiskoza mentioned this pull request Oct 11, 2021
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shenoyguru @kiskoza @xzyfer