Skip to content

chore(deps): update vulnerable dependencies #2273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 9, 2023
Merged

chore(deps): update vulnerable dependencies #2273

merged 1 commit into from
Nov 9, 2023

Conversation

@kittaakos
Copy link
Contributor

@kittaakos kittaakos commented Nov 2, 2023
edited
Loading

Motivation

To fix security issues.

Change description

Other information

TODOs:
@kittaakos will verify:

  • the correctness of the @theia/cli (for @babel/traverse@7.23.2),
  • the cloud sketches feature in IDE2 (for crypto-js@4.2.0),

@rhpco, please help with the security review. Thank you! If all works correctly, IDE2 will be down to zero security alerts.

Current behavior:

% yarn audit yarn audit v1.22.19 ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ critical │ Babel vulnerable to arbitrary code execution when compiling │ │ │ specifically crafted malicious code │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @babel/traverse │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in>=7.23.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @theia/cli │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @theia/cli > @theia/application-manager > @babel/core > │ │ │ @babel/traverse │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1094446 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ critical │ Babel vulnerable to arbitrary code execution when compiling │ │ │ specifically crafted malicious code │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @babel/traverse │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in>=7.23.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @theia/cli │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @theia/cli > @theia/application-manager > @babel/core > │ │ │ @babel/helpers > @babel/traverse │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1094446 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ critical │ crypto-js PBKDF2 1,000 times weaker than specified in 1993 │ │ │ and 1.3M times weaker than current standard │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ crypto-js │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in>=4.2.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ arduino-ide-extension │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ arduino-ide-extension > auth0-js > idtoken-verifier > │ │ │ crypto-js │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1094468 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ critical │ crypto-js PBKDF2 1,000 times weaker than specified in 1993 │ │ │ and 1.3M times weaker than current standard │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ crypto-js │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in>=4.2.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ electron-app │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ electron-app > arduino-ide-extension > auth0-js > │ │ │ idtoken-verifier > crypto-js │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1094468 │ └───────────────┴──────────────────────────────────────────────────────────────┘ 4 vulnerabilities found - Packages audited: 2046 Severity: 4 Critical ✨ Done in 1.95s.

Expected behavior:

% yarn audit yarn audit v1.22.19 0 vulnerabilities found - Packages audited: 2046 ✨ Done in 2.26s.

GitHub Advisory Database refs:

Upstream: eclipse-theia/theia#13024

Reviewer checklist

  • PR addresses a single concern.
  • The PR has no duplicates (please search among the Pull Requests before creating one)
  • PR title and description are properly filled.
  • Docs have been added / updated (for bug fixes / features)
@kittaakos kittaakos added the topic: security Related to the protection of user data label Nov 2, 2023
@kittaakos kittaakos requested a review from rhpco November 2, 2023 08:36
@kittaakos kittaakos self-assigned this Nov 2, 2023
chore(deps): update vulnerable dependencies
81f4326 
- Forced the resolution of `@babel/traverse@7.23.2` brought in by `@theia/cli`. (eclipse-theia/theia#13024) - Updated to `auth0-js@9.21.3` to transitively pull `crypto-js@4.2.0` in with the security fixes. GitHub Advisory Database refs: - GHSA-67hx-6x53-jw92 - GHSA-xwcq-pm8m-c4vf Signed-off-by: Akos Kitta <a.kitta@arduino.cc>
rhpco
rhpco approved these changes Nov 2, 2023
View reviewed changes
Copy link

@rhpco rhpco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@per1234 per1234 added topic: infrastructure Related to project infrastructure type: imperfection Perceived defect in any part of project labels Nov 3, 2023
@kittaakos
Copy link
Contributor Author

@kittaakos will verify:

  • the correctness of the @theia/cli (for @babel/traverse@7.23.2),
  • the cloud sketches feature in IDE2 (for crypto-js@4.2.0),

It's working with 2.2.2-snapshot-f7c6da3.
@kittaakos kittaakos requested a review from per1234 November 6, 2023 07:04
francescospissu
francescospissu approved these changes Nov 9, 2023
View reviewed changes
Copy link
Contributor

@francescospissu francescospissu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍
@kittaakos kittaakos merged commit 22a69f7 into main Nov 9, 2023
@kittaakos kittaakos deleted the dependabot branch November 9, 2023 10:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

topic: infrastructure Related to project infrastructure topic: security Related to the protection of user data type: imperfection Perceived defect in any part of project

4 participants

@kittaakos @rhpco @francescospissu @per1234