Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HAP-NodeJS 0.10.3 npm package vulnerabilities #930

Closed
n0rt0nthec4t opened this issue Feb 1, 2022 · 9 comments
Closed

HAP-NodeJS 0.10.3 npm package vulnerabilities #930

n0rt0nthec4t opened this issue Feb 1, 2022 · 9 comments
Labels
bug pinned

Comments

@n0rt0nthec4t
Copy link

Analysis

After installing released 0.10.0, npm audit reports the following issues with package dependancies:

**npm audit fix

up to date, audited 95 packages in 2s

36 packages are looking for funding
run npm fund for details

npm audit report

minimist <0.2.1
Severity: moderate
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
fix available via npm audit fix
node_modules/optimist/node_modules/minimist
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist

put *
Sensitive Data Exposure in put - GHSA-v6gv-fg46-h89j
fix available via npm audit fix --force
Will install hap-nodejs@0.9.8, which is a breaking change
node_modules/put
@homebridge/dbus-native *
Depends on vulnerable versions of put
node_modules/@homebridge/dbus-native
hap-nodejs 0.10.0-beta.0 - 0.10.1-beta.0
Depends on vulnerable versions of @homebridge/dbus-native
node_modules/hap-nodejs

5 vulnerabilities (3 low, 2 moderate)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force**

Expected Behavior

depend packages need to be updated to use non-vulnerable versions

Steps To Reproduce

.

Logs

.

Configuration

.

Environment

  • OS:
  • Software:
  • Node:
  • npm:

Process Supervisor

not applicable

Additional Context

.
@mikanmi

This comment was marked as abuse.

Sign in to view
@github-actions
Copy link

github-actions bot commented Mar 9, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label Mar 9, 2022
@n0rt0nthec4t
Copy link
Author

its not stale

@github-actions github-actions bot removed the stale label Mar 10, 2022
@n0rt0nthec4t
Copy link
Author

@Supereg is anything being done to address this?!?!

@github-actions
Copy link

github-actions bot commented May 1, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label May 1, 2022
@Supereg Supereg added pinned and removed stale labels May 1, 2022
This was referenced Jun 7, 2022
Closed
Closed
@n0rt0nthec4t
Copy link
Author

Any movement on this issue?? Seems stalled project atm?

@n0rt0nthec4t
Copy link
Author

n0rt0nthec4t commented Sep 17, 2022
edited
Loading

Still issues with 0.10.3.

npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                



┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Prototype Pollution in minimist                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.6                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hap-nodejs                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ hap-nodejs > @homebridge/dbus-native > optimist > minimist   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-xvch-5gv4-984h            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution in minimist                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hap-nodejs                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ hap-nodejs > @homebridge/dbus-native > optimist > minimist   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-vh95-rmgr-6w4m            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Sensitive Data Exposure in put                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ put                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hap-nodejs                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ hap-nodejs > @homebridge/dbus-native > put                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-v6gv-fg46-h89j            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (1 low, 2 moderate, 1 critical) in 98 scanned packages
  run `npm audit fix` to fix 1 of them.
  3 vulnerabilities require manual review. See the full report for details.

@n0rt0nthec4t n0rt0nthec4t changed the title HAP-NodeJS 0.10.0 npm package vulnerabilities HAP-NodeJS 0.10.3 npm package vulnerabilities Sep 17, 2022
@Supereg
Copy link
Member

Supereg commented Sep 19, 2022

The reported vulnerabilities didn't actually affect any users.

  • Vulnerabilities in optimist and minimist were in code files never actually executed by hap-nodejs (used for command-line interface of dbus-native)
  • put is only affected when running nodejs versions older than v6 which is not supported by HAP-NodeJS.

Since both packages are abandoned by their maintainers, I stilled addressed those issues, by updating the dbus-native package (that introduced those dependencies). This way we get rid of the vulnerability warnings.

This fixes will be part of the upcoming v0.10.4 release.

@n0rt0nthec4t
Copy link
Author

Thanks for addressing the issue in an upcoming release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug pinned
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Supereg @n0rt0nthec4t @mikanmi