6 high severity vulnerabilities when running npm install netlify-cms-app

[amyhenke]

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
No fix available
node_modules/trim
  mdast-util-to-hast  <=6.0.2
  Depends on vulnerable versions of trim
  node_modules/netlify-cms-widget-markdown/node_modules/mdast-util-to-hast
    remark-rehype  <=5.0.0
    Depends on vulnerable versions of mdast-util-to-hast
    node_modules/netlify-cms-widget-markdown/node_modules/remark-rehype
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/netlify-cms-widget-markdown/node_modules/remark-parse
    netlify-cms-widget-markdown  *
    Depends on vulnerable versions of remark-parse
    node_modules/netlify-cms-widget-markdown
      netlify-cms-app  *
      Depends on vulnerable versions of netlify-cms-widget-markdown
      node_modules/netlify-cms-app

Are there any plans to upgrade these packages? Also reported here: https://snyk.io/test/npm/netlify-cms

[changethe]

this also makes installing the netlify-cms-media-library-uploadcare package fail.

[tomhermans]

Yup, came here to report the same. netlifycms unusable atm

[amanifarooque]

Following this issue as well. This vulnerability was reported via Dependabot 10 months ago - are there plans to resolve?

[tomasz13nocon]

I know there's work being done to refactor and revive the project, but since this is a security vuln, I hope for this to be a top priority.

[jcweaver]

Following this issue as well. Still experiencing this reported issue as of 6/12/2023

[kl-ma]

There is also a vulnerability reported for validate-package when installing the latest version of decap-cms:

✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-VALIDATECOLOR-2935878] in validate-color@2.2.4
    introduced by decap-cms-app@3.0.12 > decap-cms-widget-colorstring@3.0.2 > validate-color@2.2.4
  No upgrade or patch available

[afredericksansait]

Same issue as well in 2024

[andreasnilssondev]

Since this has been open for a while I might have a look to see if it's easy to add a PR for this

[andreasnilssondev]

Since this has been open for a while I might have a look to see if it's easy to add a PR for this

UPDATE: Unfortunately it's not so easy. I think it's a bit too much for a first-time contributor (like me). But I'll gather everything including release info links below to hopefully make it easier for the next person who wants to tackle this.

The concerned package is decap-cms-widget-markdown

Step 1: remark-rehype

remark-rehype is currently v4 and needs a major bump to v6.

1. remark-rehype v5 release info: (It only updates mdast-util-to-hast from v4 to v6)
   1. mdast-util-to-hast v5 release info and mdast-util-to-hast v6 release info. Some minor changes that are difficult to identify if they will affect decap-cms or not.
2. remark-rehype v6 release info (The only (potentially) breaking is upgrading mdast-util-to-hast from v6 to v8
   1. mdast-util-to-hast v7 release info (trim dependency is removed here)
      1. updates unist-util-visit and unist-builder from v1 to v2: unist-util-visit v2 release info and unist-builder v2 release info both updates their typings only.
   2. mdast-util-to-hast v8 release info (updates mdast-util-definitions from v1 to v2, potentially breaking with typescript)
      1. mdast-util-definitions v2 release info (updates unist-util-visit from v1 to v2)
         1. unist-util-visit v2 release info (updates types only, potentially breaking types)

• Command run: npm install remark-rehype@6 -w decap-cms-widget-markdown
• Test results: Pass ✅

Step 2: remark-parse

remark-parse is currently v6 and needs a bump to v9

1. remark-parse v7 release info ("the fixes are technically breaking but you’re likely fine.")
2. remark-parse v8 release info (some breaking changes for links and footnotes (hard to tell if it affects decap-cms or not)
3. remark-parse v9 release info (Very large update of remark (v13) to use micromark)
   1. remark v13 release info There's a lot of things to go through here but I'm stuck already at the first point:
      1. It says to "Update all the remark* packages you are using in package.json" (unsure exactly which ones and to what version)

• Command run: npm install remark-parse@9 -w decap-cms-widget-markdown
• Test results: Fail ❌ (46 failing tests)

[dasShounak]

This issue is still persistent in decap-cms-app as of today. All versions of the package trim prior to 0.0.3 are affected by CVE-2020-7753 ReDoS. I know trim can't be updated because of conflicting dependencies:

decap-cms-app@3.4.0 requires trim@0.0.1 via a transitive dependency on mdast-util-to-hast@4.0.0
decap-cms-app@3.4.0 requires trim@0.0.1 via a transitive dependency on remark-parse@6.0.3
No patched version available for trim

I will try to fix this or find a workaround for the time being.