Strapi 3.6.5 vulnerabilities

DMehaffy · June 28, 2021, 6:21pm

I’ll share a link to this issue comment:

github.com/strapi/strapi

Hitting numerous npm audit issues when creating strapi app on Ubuntu 20

opened 10:47PM - 24 May 21 UTC

closed 10:57AM - 03 Jun 21 UTC

mwoodpatrick

type: discussion

## Bug report ### Describe the bug When creating the quickstart app on Ubu…ntu 20.04.2 LTS (Digital Ocean or WSL-2) node v14.17.0 (npm/npx v6.14.13): npx create-strapi-app strapi --quickstart 2>&1 | tee strapi_install.log Then cd'ing into strapi and running npm i I get found 52 vulnerabilities (7 moderate, 45 high) run `npm audit fix` to fix them, or `npm audit` for details and then running npm audit: npm audit --parseable 2>&1 | tee npm_audit.log I get the attached results: [npm_audit.log](https://github.com/strapi/strapi/files/6535309/npm_audit.log) Running: npm audit fix gives: npm WARN @buffetjs/utils@3.3.6 requires a peer of yup@^0.27.0 but none is installed. You must install peer dependencies yourself. npm WARN bootstrap@4.6.0 requires a peer of jquery@1.9.1 - 3 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/watchpack-chokidar2/node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/webpack-dev-server/node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) up to date in 14.092s 109 packages are looking for funding run `npm fund` for details fixed 0 of 52 vulnerabilities in 1666 scanned packages 52 vulnerabilities required manual review and could not be updated

The problem with the npm vuln scan system is it only takes into account 1 factor out of 3:

Risk (npm gives you the risk)
Probability/Likelyhood
Impact

In the vulnerabilities listed in that audit, while they all show high risk their impact is basically nothing because we don’t use the vulnerable parts of the code and the probability is functionally impossible. (one of them was a prototype pollution in a CSS package which is “what in the heck?” type of moment.

On that note, I’ve already opened (and one has been merged) to fix most of them:

Fix missing lodash upgrade in i18n plugin by derrickmehaffy · Pull Request #10538 · strapi/strapi · GitHub (merged, will be in the next release)
Fix Prototype Pollution in property-expr (yup) by derrickmehaffy · Pull Request #198 · strapi/buffet · GitHub

Though there is honestly a much easier way to fix them if you use yarn instead of npm (which we recommend), by that I mean you should never use npm audit fix; like ever.

"resolutions": {
    "yup": "^0.32.9",
    "lodash": "4.17.21"
  },

The remaining 3 are functionally impossible/no impact both in terms of likelihood and impact