Page MenuHomePhabricator

[alias-server] Run npm audit fix to update dependencies
ClosedPublic

Authored by bytesofman on Jun 12 2023, 16:49.

Details

Reviewers
Fabien
Group Reviewers
Restricted Project
Commits
rABC198545d6cddb: [alias-server] Run npm audit fix to update dependencies
Summary

T3060

Run npm audit fix to update dependencies

Test Plan

npm test

Diff Detail

Repository
rABC Bitcoin ABC
Branch
alias-server-audit-fix
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 24020
Build 47650: Build Diffalias-server-tests
Build 47649: arc lint + arc unit

Event Timeline

Fabien added a subscriber: Fabien.
Fabien added inline comments.
apps/alias-server/package-lock.json
64 ↗(On Diff #40736)

Are you able to tell me why these dependencies are needed ?

This revision is now accepted and ready to land.Jun 13 2023, 06:28
apps/alias-server/package-lock.json
64 ↗(On Diff #40736)

Summary

mongodb requires
credential-providers requires
client-cognito-identity requires
middleware-signing requires
signature-v4 (upgraded) requires
evenstream-codec requires
crc32

  • tslib is a dependency of crc32

...took some digging

Root cause is that a well nested dependency of mongodb, that isn't even used directly in this app, threw a vuln

From running npm audit

# npm audit report

fast-xml-parser  <4.2.4
Severity: high
fast-xml-parser vulnerable to Regex Injection via Doctype Entities - https://github.com/advisories/GHSA-6w63-h3fj-q4vw
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/client-sts  <=3.54.1 || 3.55.0 - 3.186.1 || 3.188.0 - 3.335.0 || 3.337.0 - 3.347.0
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/client-sts
    @aws-sdk/client-cognito-identity  3.12.0 - 3.54.1 || 3.55.0 - 3.347.0
    Depends on vulnerable versions of @aws-sdk/client-sts
    node_modules/@aws-sdk/client-cognito-identity
      @aws-sdk/credential-provider-cognito-identity  3.12.0 - 3.347.0
      Depends on vulnerable versions of @aws-sdk/client-cognito-identity
      node_modules/@aws-sdk/credential-provider-cognito-identity
    @aws-sdk/credential-providers  <=3.347.0
    Depends on vulnerable versions of @aws-sdk/client-sts
    node_modules/@aws-sdk/credential-providers
This revision was landed with ongoing or failed builds.Jun 13 2023, 16:49
This revision was automatically updated to reflect the committed changes.