CodeceptJS v3.3.7 uses a vulnerable version of flat and minimatch

[iwt-ttaskov]

What are you trying to achieve?

Run 'npm audit --recursive'.

What do you get instead?

Vulnerable version of flat and minimatch.

Provide console output if related. Use --verbose mode for more details.

# npm audit report

flat  <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
fix available via `npm audit fix --force`
Will install codeceptjs@2.2.1, which is a breaking change
node_modules/flat
  yargs-unparser  <=1.6.3
  Depends on vulnerable versions of flat
  node_modules/yargs-unparser
    mocha  5.1.0 - 9.2.1
    Depends on vulnerable versions of minimatch
    Depends on vulnerable versions of yargs-unparser
    node_modules/mocha
      codeceptjs  >=2.3.0
      Depends on vulnerable versions of mocha
      node_modules/codeceptjs

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install codeceptjs@2.2.1, which is a breaking change
node_modules/mocha/node_modules/minimatch

5 vulnerabilities (2 high, 3 critical)


┬ codeceptjs@3.3.7
  └─┬ mocha@8.1.3
    └─┬ yargs-unparser@1.6.1
      └── flat@4.1.1


┬ codeceptjs@3.3.7
  ├─┬ glob@6.0.4
  │ └── minimatch@3.1.2
  ├─┬ js-beautify@1.14.7
  │ └─┬ glob@8.0.3
  │   └── minimatch@5.1.2
  └─┬ mocha@8.1.3
    ├─┬ glob@7.1.6
    │ └── minimatch@3.0.4 deduped
    └── minimatch@3.0.4

Provide test source code if related

package.json dependencies:

"dependencies": {
    "codeceptjs": "^3.3.7",
    "playwright": "^1.29.2"
  },
  "devDependencies": {
    "@types/node": "^18.11.18",
    "ts-node": "^10.9.1",
    "typescript": "^4.9.4"
  }

Details

• CodeceptJS version: 3.3.7
• NodeJS Version: 18.13.0
• Operating System: MacOS Ventura
• puppeteer || webdriverio || testcafe version (if related)
• Configuration file:

import { setHeadlessWhen, setCommonPlugins } from '@codeceptjs/configure';
// turn on headless mode when running with HEADLESS=true environment variable
// export HEADLESS=true && npx codeceptjs run
setHeadlessWhen(process.env.HEADLESS);

// enable all common plugins https://github.com/codeceptjs/configure#setcommonplugins
setCommonPlugins();

export const config: CodeceptJS.MainConfig = {
  tests: './tests/*_test.ts',
  output: './output',
  helpers: {
    Playwright: {
      url: 'http://todomvc.com/examples/react/',
      show: false,
      browser: 'chromium',
      waitForNavigation: "networkidle0"
    }
  },
  include: {
    I: './steps_file'
  },
  name: 'playwright-codeceptjs',
  fullPromiseBased: true
}

[AramSol]

we have also the same issue

[lbosap]

i am also having this issue

[taocinata]

We have the same problem.

[incoming-th]

Came here to log that as well

[DomicaCode]

Is this getting addressed?

[arcticoder]

I'm attempting to work around it for now using overrides in package.json.

{
  "dependencies": {
    "codeceptjs": "^3.3.7",
  },
  "overrides": {
    "minimatch": "^6.2.0",
    "flat": "^5.0.2"
  }
}

[DavertMik]

Fixed in 3.4.0
All deps updated
thanks for pointing this out

[incoming-th]

@DavertMik Still have those one in 3.4.0