Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): bump Octokit dependencies to address ReDos vulnerabilities, bump devDependencies #487

Merged
merged 6 commits into from
Feb 26, 2025
Merged

fix(deps): bump Octokit dependencies to address ReDos vulnerabilities, bump devDependencies #487

merged 6 commits into from
Feb 26, 2025
+2,901 −2,762

Conversation

benpbolton
Copy link

This aims to resolve #486 `npm vulnerabilities with the 20.x branch

Should resolve:

GHSA-2p57-rm9w-gvfp
GHSA-3xgq-45jj-v275
GHSA-67mh-4wv8-2f99
GHSA-78xj-cgh5-2h22
GHSA-952p-6rrq-rcjv
GHSA-9qxr-qj54-h672
GHSA-9wv6-86v2-598j
GHSA-c2qf-rxjj-qqgw
GHSA-c76h-2ccp-4975
GHSA-c7qv-q95q-8v27
GHSA-f5x3-32g6-xq36
GHSA-grv7-fg5c-xmjg
GHSA-h5c3-5r3r-rr8q
GHSA-m4v8-wqvr-p9f7
GHSA-m6fv-jmcg-4jfg
GHSA-pxg6-pf52-xh8x
GHSA-qwcr-r2fm-qrc7
GHSA-rhx6-c78j-4q9w
GHSA-rmvr-2pp2-xj38
GHSA-xx4v-prfh-6cgc

Before the change?

31 vulnerabilities (3 low, 18 moderate, 10 high)

CleanShot 2025-02-21 at 12 06 39

After the change?

9 moderate severity vulnerabilities

CleanShot 2025-02-21 at 12 12 49

Important note: the remaining reported 'moderate' vulnerabilities for @octokit/request and @octokit/plugin-paginate-rest for GHSA-h5c3-5r3r-rr8q and GHSA-rmvr-2pp2-xj38 are actually mitigated already; npm audit isn't taking the minor versions properly into account as:

  • @octokit/plugin-paginate-rest is patched in 9.2.2 (applied)
  • @octokit/request is patched in 8.4.1 (applied)

This is a reporting issue: npm/cli#8125

Pull request checklist

Important note: this PR reduces updates (reduces :() test coverage due to the same challenges discovered in #413 (comment)

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

@github-actions GitHub Actions
Copy link
Contributor

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

@G-Rath
Copy link
Member

G-Rath commented Feb 21, 2025

It doesn't look like most of these are needed, as you're updating minor versions - so doing an npm update <package> in your codebase should address these

@benpbolton
Copy link
Author

Many of these are indeed version-compatible npm update applicable changes, but not all. fetch-mock is probably the standout there, with a notable update to "esbuild": "~0.25.0", semver as recommended by the project. e.g. see https://github.com/evanw/esbuild/releases/tag/v0.25.0

@wolfy1339
Copy link
Member

with a notable update to "esbuild": "~0.25.0", semver as recommended by the project. e.g. see https://github.com/evanw/esbuild/releases/tag/v0.25.0

They recommend either ~ or ^

@G-Rath
Copy link
Member

G-Rath commented Feb 21, 2025

Yes but the PR you've opened has a bunch of changes, and your issue describes a bunch of security vulnerabilities - @wolfy1339 and I are happy to discuss specific dependencies if there are issues, but in return it would be good if you could capture those specifically

E.g. are you actually having an issue with esbuild after updating it?

@G-Rath
Copy link
Member

G-Rath commented Feb 21, 2025

Actually really they shouldn't matter anyway as they're dev dependencies

@wolfy1339
Copy link
Member

Unless you are using a CDN like esm.sh this shouldn't be needed

@benpbolton
Copy link
Author

Indeed; primarily devdeps and 'what happens when you' npm audit fix/ npm update on the 20.x branch, including mirrored test adjustments from #413 (comment).

@wolfy1339
Copy link
Member

wolfy1339 commented Feb 21, 2025
edited
Loading

On a fresh install of @octokit/rest@20:

$ npm audit
# npm audit report

@octokit/plugin-paginate-rest  <=11.4.0
Severity: moderate
Depends on vulnerable versions of @octokit/core
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-h5c3-5r3r-rr8q
fix available via `npm audit fix --force`
Will install @octokit/[email protected], which is a breaking change
node_modules/@octokit/rest/node_modules/@octokit/plugin-paginate-rest
  @octokit/rest  16.39.0 - 21.0.0-beta.4
  Depends on vulnerable versions of @octokit/core
  Depends on vulnerable versions of @octokit/plugin-paginate-rest
  Depends on vulnerable versions of @octokit/plugin-rest-endpoint-methods
  node_modules/@octokit/rest

@octokit/request  <=9.2.0
Severity: moderate
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-rmvr-2pp2-xj38
fix available via `npm audit fix --force`
Will install @octokit/[email protected], which is a breaking change
node_modules/@octokit/rest/node_modules/@octokit/request
  @octokit/core  <=5.2.0
  Depends on vulnerable versions of @octokit/graphql
  Depends on vulnerable versions of @octokit/request
  node_modules/@octokit/rest/node_modules/@octokit/core
    @octokit/plugin-request-log  4.0.1
    Depends on vulnerable versions of @octokit/core
    node_modules/@octokit/rest/node_modules/@octokit/plugin-request-log
    @octokit/plugin-rest-endpoint-methods  10.4.1 || 13.2.2
    Depends on vulnerable versions of @octokit/core
    node_modules/@octokit/rest/node_modules/@octokit/plugin-rest-endpoint-methods
  @octokit/graphql  <=2.1.3 || 3.0.0 - 7.1.1
  Depends on vulnerable versions of @octokit/request
  node_modules/@octokit/rest/node_modules/@octokit/graphql

7 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

@benpbolton
Copy link
Author

However on fresh checkout of origin/20.x and (e.g.)

(ignoring base npm install with 31 vulnerabilities (3 low, 18 moderate, 10 high)

npm update # 14 vulnerabilities (12 moderate, 2 high) -- devdeps are the culprit here

(ensure you've got the octokit-fixtures-server running)

npm run test # will fail

CleanShot 2025-02-21 at 13 16 39@2x

I realize it may not be high on the impact/priority list to ensure 20.x has a viable development / test environment, hence why I submitted the PR.

@wolfy1339
Copy link
Member

Why are you using the git repository?

@benpbolton
Copy link
Author

Thank you @G-Rath and @wolfy1339 for the feedback. I appreciate your time reviewing this PR.
To clarify the intentions of this PR:

  • I understand most of these are dev dependencies (in production contexts, they likely pose minimal risk), but having a clean audit helps developers who use this repository for contributions and may have security scanning requirements in their CI/CD pipelines.
  • As demonstrated in my screenshot from a fresh checkout of the 20.x branch, the current state fails tests after a standard npm update. This makes it challenging for new contributors who want to work with the 20.x branch.
  • While I acknowledge that some of the reported vulnerabilities are false positives (as noted with @octokit/plugin-paginate-rest and @octokit/request – I've submitted a bug report for npm), having a clean development environment is beneficial for ongoing maintenance.
  • Any test modifications mirror what was done in feat: v21 #413. These are known limitations rather than an issue with these specific updates.

Again: the primary goal is to ensure the 20.x branch remains viable for development and testing for users who cannot yet migrate to ESM. If you prefer a more targeted approach, please let me know how you'd prefer to proceed. I'm happy to adjust my approach based on the team's preferences for maintaining the 20.x branch.

@benpbolton benpbolton mentioned this pull request Feb 26, 2025
Closed
1 task
@wolfy1339 wolfy1339 linked an issue Feb 26, 2025 that may be closed by this pull request
[MAINT]: 20.x npm audit vulnerabilities #486
Closed
1 task
@wolfy1339 wolfy1339 changed the title fix(deps): esbuild, fetch-mock, octokit/request fix(deps): bump Octokit dependencies to address ReDos vulnerabilities, bump devDependencies Feb 26, 2025
@wolfy1339 wolfy1339 merged commit eb3e62c into octokit:20.x Feb 26, 2025
6 checks passed
@benpbolton benpbolton deleted the chore/update_npm_deps branch February 26, 2025 22:10
wolfy1339 added a commit that referenced this pull request Feb 26, 2025
@benpbolton @wolfy1339
fix(deps): bump Octokit dependencies to address ReDos vulnerabilities…
711f2ee 
…, bump `devDependencies` (#487)

This aims to resolve #486 `npm vulnerabilities with the 20.x branch

Should resolve:

GHSA-2p57-rm9w-gvfp
GHSA-3xgq-45jj-v275
GHSA-67mh-4wv8-2f99
GHSA-78xj-cgh5-2h22
GHSA-952p-6rrq-rcjv
GHSA-9qxr-qj54-h672
GHSA-9wv6-86v2-598j
GHSA-c2qf-rxjj-qqgw
GHSA-c76h-2ccp-4975
GHSA-c7qv-q95q-8v27
GHSA-f5x3-32g6-xq36
GHSA-grv7-fg5c-xmjg
GHSA-h5c3-5r3r-rr8q
GHSA-m4v8-wqvr-p9f7
GHSA-m6fv-jmcg-4jfg
GHSA-pxg6-pf52-xh8x
GHSA-qwcr-r2fm-qrc7
GHSA-rhx6-c78j-4q9w
GHSA-rmvr-2pp2-xj38
GHSA-xx4v-prfh-6cgc

----

<!-- Please describe the current behavior that you are modifying. -->

> 31 vulnerabilities (3 low, 18 moderate, 10 high)

![CleanShot 2025-02-21 at 12 06
39](https://github.com/user-attachments/assets/02abda17-8aee-46e3-b808-764672a18475)

<!-- Please describe the behavior or changes that are being added by
this PR. -->

> 9 moderate severity vulnerabilities

![CleanShot 2025-02-21 at 12 12
49](https://github.com/user-attachments/assets/10d593d8-9de5-478e-8cde-b5fb81762706)

**Important note**: the remaining reported 'moderate' vulnerabilities
for `@octokit/request` and `@octokit/plugin-paginate-rest` for
GHSA-h5c3-5r3r-rr8q and
GHSA-rmvr-2pp2-xj38 are actually mitigated
already; npm audit isn't taking the minor versions properly into account
as:

- @octokit/plugin-paginate-rest is patched in `9.2.2` (applied)
- @octokit/request is patched in `8.4.1` (applied)

This is a reporting issue: npm/cli#8125

**Important note**: this PR reduces updates (reduces :() test coverage
due to the same challenges discovered in
#413 (comment)

- [x] Tests for the changes have been added (for bug fixes / features)
- [ ] Docs have been reviewed and added / updated if needed (for bug
fixes / features)

<!-- If this introduces a breaking change make sure to note it here any
what the impact might be -->

Please see our docs on [breaking
changes](https://github.com/octokit/.github/blob/master/community/breaking_changes.md)
to help!

- [ ] Yes
- [x] No

----

---------

Co-authored-by: wolfy1339 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[MAINT]: 20.x npm audit vulnerabilities
3 participants
@benpbolton @G-Rath @wolfy1339