Skip to content

shipped wheels and PyPI tarballs fail npm audit #410

New issue
New issue
Open
Open
shipped wheels and PyPI tarballs fail npm audit#410
@bnavigator

Description

@bnavigator
bnavigator
opened on Jul 13, 2024
# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/braces

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/express
  @verdaccio/middleware  <=7.0.0-next-7.15
  Depends on vulnerable versions of @verdaccio/config
  Depends on vulnerable versions of @verdaccio/core
  Depends on vulnerable versions of @verdaccio/url
  Depends on vulnerable versions of @verdaccio/utils
  Depends on vulnerable versions of express
  node_modules/@verdaccio/middleware
    verdaccio  <=5.31.0 || 6.0.0-6-next.21 - 7.0.0-next-7.15
    Depends on vulnerable versions of @verdaccio/config
    Depends on vulnerable versions of @verdaccio/core
    Depends on vulnerable versions of @verdaccio/logger-7
    Depends on vulnerable versions of @verdaccio/middleware
    Depends on vulnerable versions of @verdaccio/tarball
    Depends on vulnerable versions of @verdaccio/url
    Depends on vulnerable versions of @verdaccio/utils
    Depends on vulnerable versions of express
    Depends on vulnerable versions of request
    Depends on vulnerable versions of semver
    Depends on vulnerable versions of verdaccio-audit
    node_modules/verdaccio
  verdaccio-audit  0.0.2 - 12.0.0-next-7.15
  Depends on vulnerable versions of @verdaccio/config
  Depends on vulnerable versions of @verdaccio/core
  Depends on vulnerable versions of express
  node_modules/verdaccio-audit

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @jupyterlab/buildutils@4.2.3, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    @jupyterlab/buildutils  0.9.0 - 4.0.0-rc.1
    Depends on vulnerable versions of package-json
    node_modules/@jupyterlab/buildutils

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix`
node_modules/postcss

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix`
node_modules/request

semver  <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/duplicate-package-checker-webpack-plugin/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/package-json/node_modules/semver
node_modules/semver
  @verdaccio/core  <=6.0.0-6-next.72
  Depends on vulnerable versions of semver
  node_modules/@verdaccio/core
  node_modules/verdaccio-audit/node_modules/@verdaccio/core
    @verdaccio/config  <=6.0.0-6-next.72
    Depends on vulnerable versions of @verdaccio/core
    Depends on vulnerable versions of @verdaccio/utils
    Depends on vulnerable versions of yaml
    node_modules/@verdaccio/config
    node_modules/verdaccio-audit/node_modules/@verdaccio/config
    @verdaccio/logger-commons  <=6.0.0-6-next.40
    Depends on vulnerable versions of @verdaccio/core
    node_modules/@verdaccio/logger-commons
      @verdaccio/logger-7  <=6.0.0-6-next.17
      Depends on vulnerable versions of @verdaccio/logger-commons
      node_modules/@verdaccio/logger-7
    @verdaccio/tarball  <=11.0.0-6-next.41
    Depends on vulnerable versions of @verdaccio/core
    Depends on vulnerable versions of @verdaccio/url
    Depends on vulnerable versions of @verdaccio/utils
    node_modules/@verdaccio/tarball
    @verdaccio/url  <=11.0.0-6-next.38
    Depends on vulnerable versions of @verdaccio/core
    node_modules/@verdaccio/url
  @verdaccio/utils  <=6.0.0-6-next.40
  Depends on vulnerable versions of @verdaccio/core
  Depends on vulnerable versions of semver
  node_modules/@verdaccio/utils
  node_modules/verdaccio-audit/node_modules/@verdaccio/utils

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

three  <0.125.0
Severity: high
Denial of service in three - https://github.com/advisories/GHSA-fq6p-x6j3-cmmq
fix available via `npm audit fix --force`
Will install three@0.166.1, which is a breaking change
node_modules/three

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix`
node_modules/tough-cookie

webpack  5.0.0 - 5.75.0
Severity: critical
Cross-realm object access in Webpack 5 - https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
fix available via `npm audit fix`
node_modules/webpack

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

ws  7.0.0 - 7.5.9
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/ws

yaml  2.0.0-5 - 2.2.1
Severity: high
Uncaught Exception in yaml - https://github.com/advisories/GHSA-f9xv-q969-pqx4
fix available via `npm audit fix`
node_modules/yaml

25 vulnerabilities (18 moderate, 6 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Running audit fix and thus updating three and jupyterlab to a recent version does not let me build the wheel:

[   14s] Building wheels for collected packages: pythreejs
[   14s]   Building wheel for pythreejs (pyproject.toml): started
[   14s]   Running command Building wheel for pythreejs (pyproject.toml)
[   14s]   running bdist_wheel
[   14s]   running js
[   14s]   node_modules are up to date, skipping npm install!
...
[   15s]   > jupyter-threejs@2.4.1 build:bundles-prod
[   15s]   > webpack --mode production && node ./scripts/post-build.js
...
[   23s]   node:internal/process/promises:391
[   23s]       triggerUncaughtException(err, true /* fromPromise */);
[   23s]       ^
[   23s]
[   23s]   [Error: ENOENT: no such file or directory, lstat '/home/abuild/rpmbuild/BUILD/pythreejs-2.4.2/js/node_modules/three/build/three.min.js'] {
[   23s]     errno: -2,
[   23s]     code: 'ENOENT',
[   23s]     syscall: 'lstat',
[   23s]     path: '/home/abuild/rpmbuild/BUILD/pythreejs-2.4.2/js/node_modules/three/build/three.min.js'
[   23s]   }
[   23s]
[   23s]   Node.js v22.3.0
[   23s]   npm error code 1
[   23s]   npm error path /home/abuild/rpmbuild/BUILD/pythreejs-2.4.2/js
[   23s]   npm error command failed
[   23s]   npm error command sh -c npm run build:bundles-prod

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions