Update npm packges versions to eliminate vulnerabilities #610
Comments
turvas
changed the title
|
@turvas |
|
It is necessary to adapt from Vue 2 to 3, and it is not possible to adapt everything at once. |
|
Library changes and program modifications should also occur. Recognition is not an easy task. |
|
In some cases, it may be difficult to resolve because other modules specify a vulnerable version due to dependencies. So it's not easy. |
|
investigating "vue-native-websocket": "2.0.15" current 77 vulnerabilities (4 low, 22 moderate, 40 high, 11 critical) fix 11 vulnerabilities (6 moderate, 4 high, 1 critical) |
|
|
Since it's an OSS, it's natural that you won't receive any money by responding to this issue, but if they are not cooperative, we will lower the priority of responding to that issue. Because time is not infinite |
|
We have released Docker image 1.8.17, which changes vue-native-websocket from 2.0.15 to github:nsano-rururu/vue-native-websocket#master. In 1.8.18, we plan to do the following: Vue3 support continues in a separate repository
|
I have done 2) and 3) from above list. if you are interesed, I can share my Dockerfile, where High and Critical OS level vulns are removed. |
|
@turvas |
|
Dockerfile: RUN apt update && RUN mkdir -p /tmp/nginx/praeco RUN apt install -y openssh-client curl postgresql-15 libde265-0 FROM base AS dependencies FROM base AS release RUN npm run build |
What is this used for? I feel like it's not necessary |
|
node:lts-hydrogen contains 5 critical vulns, and those 2 lines update 4 vulnearable packages and uninstall the last one, which does not have fix |
|
Thank you for your answer. We will use this as a reference when making the next release compatible with node18. |
|
docker run aquasec/trivy image praecoapp/praeco:1.8.16 praecoapp/praeco:1.8.16 (debian 10.13)
======================================
Total: 3020 (UNKNOWN: 32, LOW: 1420, MEDIUM: 989, HIGH: 542, CRITICAL: 37)
~~~~~~~~~~~~~~~~~~~~~~~
Node.js (node-pkg)
==================
Total: 127 (UNKNOWN: 0, LOW: 6, MEDIUM: 46, HIGH: 57, CRITICAL: 18)docker run aquasec/trivy image praecoapp/praeco:1.8.17 praecoapp/praeco:1.8.17 (debian 10.13)
======================================
Total: 3018 (UNKNOWN: 32, LOW: 1420, MEDIUM: 987, HIGH: 542, CRITICAL: 37)
~~~~~~~~~~~~~~~~~~~~~~~
Node.js (node-pkg)
==================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 2, CRITICAL: 0)docker run aquasec/trivy image praecoapp/praeco:1.8.18 node 16 to 18 praecoapp/praeco:1.8.18 (debian 12.4)
=====================================
Total: 767 (UNKNOWN: 0, LOW: 491, MEDIUM: 223, HIGH: 51, CRITICAL: 2)
~~~~~~~~~~~~~~~~~~~~~~~
Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0) |
|
docker run aquasec/trivy image praecoapp/elastalert-server:20231126 praecoapp/elastalert-server:20231126 (alpine 3.18.3)
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
2024-01-03T17:36:05.145Z INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Node.js (node-pkg)
==================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬─────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼─────────────────────────────────────────────────────┤
│ semver (package.json) │ CVE-2022-25883 │ MEDIUM │ fixed │ 7.3.7 │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883 │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴─────────────────────────────────────────────────────┘
Python (python-pkg)
===================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ cryptography (METADATA) │ CVE-2023-49083 │ MEDIUM │ fixed │ 41.0.5 │ 41.0.6 │ python-cryptography: NULL-dereference when loading PKCS7 │
│ │ │ │ │ │ │ certificates │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-49083 │
└─────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘ |
|
Praeco
elastalert-server
|
|
thank you, great progress |
|
docker run aquasec/trivy image praecoapp/elastalert-server:20240104 node 16 to 18 praecoapp/elastalert-server:20240104 (alpine 3.19.0)
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
/home/node/.local/lib/python3.11/site-packages/PyJWT-2.8.0.dist-info/METADATA (secrets)
=======================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) |
|
All versions of vue2 have XSS vulnerabilities. We plan to prioritize support for vue3. |
🎉 Minimize vulnerabilities
So that no Critical and High severity vulerabilities exist at released images.
💪 Currenltly praeco npm dependencies have more than 100 vulnearabilities, including 16 critical and 41 high severity ones, reported by Docker Scout.
It's important to eliminate High and Critical vulnerabilities ASAP.
📖 Reference (optional)
Below is Docker Scout vulnerabilities (first page of 7) view at build step COPY:
📆 Schedule (optional)
TBD
📎 Tasks (optional)
The text was updated successfully, but these errors were encountered: