Strapi 3.6.5 vulnerabilities

urbadev · June 28, 2021, 11:13am

System Information

Strapi Version: 3.6.5
Operating System: macOS
Database: mysql
Node Version: v14.15.5
NPM Version: 6.14.11
Yarn Version: -

Hi, I’ve been preparing a big project for my company and am almost ready to deploy. However, my colleagues and me are worried about the vulnerabilities it currently has because almost all of them are high priority.

found 44 vulnerabilities (2 moderate, 42 high) in 1839 scanned packages

npm audit fix obviously doesn’t fix any of them.

Many of them are from the package property-expr. Anyway, because they all are dependencies of strapi and/or its plugins I can’t update them and would like to ask if you could check to see if by the next update you could update them.

Thank you. By the way I love strapi and really think you guys are doing a marvellous job.

I can’t insert the list because it has too many characters. So here is a link to it: https://workflowy.com/s/vulnerabilities-stra/DMzLzFMujB6Wmsvt

DMehaffy · June 28, 2021, 6:21pm

I’ll share a link to this issue comment:

github.com/strapi/strapi

Hitting numerous npm audit issues when creating strapi app on Ubuntu 20

opened 10:47PM - 24 May 21 UTC

closed 10:57AM - 03 Jun 21 UTC

mwoodpatrick

type: discussion

## Bug report ### Describe the bug When creating the quickstart app on Ubu…ntu 20.04.2 LTS (Digital Ocean or WSL-2) node v14.17.0 (npm/npx v6.14.13): npx create-strapi-app strapi --quickstart 2>&1 | tee strapi_install.log Then cd'ing into strapi and running npm i I get found 52 vulnerabilities (7 moderate, 45 high) run `npm audit fix` to fix them, or `npm audit` for details and then running npm audit: npm audit --parseable 2>&1 | tee npm_audit.log I get the attached results: [npm_audit.log](https://github.com/strapi/strapi/files/6535309/npm_audit.log) Running: npm audit fix gives: npm WARN @buffetjs/utils@3.3.6 requires a peer of yup@^0.27.0 but none is installed. You must install peer dependencies yourself. npm WARN bootstrap@4.6.0 requires a peer of jquery@1.9.1 - 3 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/watchpack-chokidar2/node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/webpack-dev-server/node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) up to date in 14.092s 109 packages are looking for funding run `npm fund` for details fixed 0 of 52 vulnerabilities in 1666 scanned packages 52 vulnerabilities required manual review and could not be updated

The problem with the npm vuln scan system is it only takes into account 1 factor out of 3:

Risk (npm gives you the risk)
Probability/Likelyhood
Impact

In the vulnerabilities listed in that audit, while they all show high risk their impact is basically nothing because we don’t use the vulnerable parts of the code and the probability is functionally impossible. (one of them was a prototype pollution in a CSS package which is “what in the heck?” type of moment.

On that note, I’ve already opened (and one has been merged) to fix most of them:

Fix missing lodash upgrade in i18n plugin by derrickmehaffy · Pull Request #10538 · strapi/strapi · GitHub (merged, will be in the next release)
Fix Prototype Pollution in property-expr (yup) by derrickmehaffy · Pull Request #198 · strapi/buffet · GitHub

Though there is honestly a much easier way to fix them if you use yarn instead of npm (which we recommend), by that I mean you should never use npm audit fix; like ever.

"resolutions": {
    "yup": "^0.32.9",
    "lodash": "4.17.21"
  },

The remaining 3 are functionally impossible/no impact both in terms of likelihood and impact

urbadev · June 29, 2021, 6:22am

Okay, thank you very much for the quick response!
I’ll keep in mind your recommendations going forward.