Page MenuHomePhabricator

Update/Fix npm dependencies for wikimedia/portals.git
Closed, ResolvedPublicSecurity

Description

npm audit in rWPOR Wikimedia Portals reports 11 vulnerabilities, (7 low, 1 moderate, 3 high).

This task involves running npm audit --fix to fix 7 of them.

The remaining 4 packages should be reviewed to see if they can be updated manually.

Results:

npm audit
                       === npm audit security report ===                        
                                                                                
# Run  npm install --save-dev bundlesize@0.18.1  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bundlesize [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ bundlesize > axios                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1594                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update ini --depth 8  to resolve 5 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bundlesize [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ bundlesize > brotli-size > iltorb > prebuild-install > rc >  │
│               │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > gulp-cli > liftoff > findup-sync > resolve-dir >      │
│               │ global-modules > global-prefix > ini                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > gulp-cli > matchdep > findup-sync > resolve-dir >     │
│               │ global-modules > global-prefix > ini                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-load-plugins [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-load-plugins > findup-sync > resolve-dir >              │
│               │ global-modules > global-prefix > ini                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-config-wikimedia [dev]                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-config-wikimedia > stylelint > global-modules >    │
│               │ global-prefix > ini                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update github-build --depth 2  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bundlesize [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ bundlesize > github-build > axios                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1594                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/788                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/813                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > mocha > mkdirp > minimist     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1179                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1500                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 11 vulnerabilities (7 low, 1 moderate, 3 high) in 1735 scanned packages

Event Timeline

npm audit fix git diff result
[maurelio@ubuntu portals](master)$ git diff
diff --git a/package-lock.json b/package-lock.json
index 27492e46..af0f3c72 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -4126,9 +4126,9 @@
                        }
                },
                "bl": {
-                       "version": "4.0.2",
-                       "resolved": "https://registry.npmjs.org/bl/-/bl-4.0.2.tgz",
-                       "integrity": "sha512-j4OH8f6Qg2bGuWfRiltT2HYGx0e1QcBTrK9KAHNMwMZdQnDZFk0ZSYIpADjYCB3U12nicC5tVJwSIhwOWjb4RQ==",
+                       "version": "4.0.3",
+                       "resolved": "https://registry.npmjs.org/bl/-/bl-4.0.3.tgz",
+                       "integrity": "sha512-fs4G6/Hu4/EE+F75J8DuN/0IpQqNjAdC7aEQv7Qt8MHGUH7Ckv2MwTEEeN9QehD0pfIDkMI1bkHYkKy7xHyKIg==",
                        "dev": true,
                        "requires": {
                                "buffer": "^5.5.0",

Yet 20 remains unsolved. Fix for that at https://gerrit.wikimedia.org/r/c/wikimedia/portals/+/626637

Looks like half the gulp world is abandonware now. :-( Maybe we should shift it over to Grunt? Meh.

@Jdrewniak you linked this in T273179 as a microtask but it's private, so most people won't be able to see it. Given that anyone can just run npm audit, any reason not to make this public? It's also all listed at https://libraryupgrader2.wmcloud.org/vulns/npm ...

Since these are all dev dependencies fwict, it's probably not a big deal to make this particular task public. Though there are at least some marginal risks:

  1. gulp (and its vulnerable dependencies) still appears to be used to build various artifacts that end up in production.
  2. while it's trivial to run various security tools against public repos, the confirmation of existing vulnerabilities (which tasks like this implicitly do) for a specific repo does provide an additional layer of convenience for an attacker.

@Legoktm It's true that these vulnerabilities are easily exposed just by running npm audit so I don't see much risk in making this task public.

@sbassett Although Gulp is used to create production artifacts, those are all still manually reviewed prior to merging, and given that the development on this repo is very light, I think any malicious code in those artifacts (e.g. JS) would be visible just by virtue of it being the only change to those files in a long time :P

I have also created a patch which brings down these vulnerabilities from 22 to 11 by removing a PNG fallback workflow, so that should help.

https://gerrit.wikimedia.org/r/c/wikimedia/portals/+/666606

Jdrewniak triaged this task as Medium priority.Feb 24 2021, 12:01 PM
Jdrewniak removed a project: Security.
Jdrewniak added a project: Security.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 1 2021, 4:07 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".

Change 670821 had a related patch set uploaded (by Bharatkhatri; owner: Bharatkhatri):
[wikimedia/portals@master] Fix npm dependencies for wikimedia/portals

https://gerrit.wikimedia.org/r/670821

This task involves running npm audit --fix to fix 7 of them.

Fixed 7 of them...using npm audit fix...
how can remaining dependicies can be fixed manually?

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/788                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > mocha > mkdirp > minimist     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

here
svgo is using "js-yaml": "~3.7.0",
mkdirp is using "minimist": "^1.2.5"
yargs is using "yargs-parser": "^18.1.2"
dependencies
These needed to be fixed

@Bharatkhatri351 thank you for the patch!
The offending modules from that output are:

  • gulp-svg-sprite
  • gulp-cssnano

Unfortunately, both of those packages are on the latest version in package.json, so the only way to remove these errors would be to replace these dependencies entirely.
Therefore, I think we can leave this task open for now, since replacing either dependency would require a larger refactor.

@Jdrewniak
thats fine..
hope they will be fixed in future..

Change 670821 merged by jenkins-bot:
[wikimedia/portals@master] Fix npm dependencies for wikimedia/portals

https://gerrit.wikimedia.org/r/670821

Is this issue open? May I work on it please?

@Helix17: Hi and welcome. Please see the previous comments; for the status see the line below the task summary/title.
What's left in this task is to review the remaining 4 packages to see if they can be updated manually.

@Helix17: Hi and welcome. Please see the previous comments; for the status see the line below the task summary/title.
What's left in this task is to review the remaining 4 packages to see if they can be updated manually.

Sure, I will get started. Just wanted to check a few things: this is the repository LINK right?

Change 676549 had a related patch set uploaded (by Ishan Saini; author: Ishan Saini):

[wikimedia/portals@master] Replaces deprecated gulp-cssnano with cssnano

https://gerrit.wikimedia.org/r/676549

I have fixed two warnings from gulp-cssnano in this patch.
Started working on gulp-svg-sprite now. Hopefully, I will be able to fix it.

# Run  npm update y18n --depth 4  to resolve 2 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ y18n                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > y18n                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1654                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ y18n                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yargs [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yargs > y18n                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1654                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/788                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > mocha > mkdirp > minimist     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Misinterpretation of malicious XML input                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ xmldom                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > xmldom                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1650                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ y18n                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > gulp-cli > yargs > y18n                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1654                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 8 vulnerabilities (3 low, 1 moderate, 4 high) in 1743 scanned packages
  run `npm audit fix` to fix 2 of them.
  6 vulnerabilities require manual review. See the full report for details.

Today when i was running npm audit i observed 8 vulnerabilities some of them are new because of y18n package and i fixed 3 of them and result is

 === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/788                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > mocha > mkdirp > minimist     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Misinterpretation of malicious XML input                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ xmldom                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > xmldom                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1650                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 5 vulnerabilities (3 low, 1 moderate, 1 high) in 1743 scanned packages
  5 vulnerabilities require manual review. See the full report for details.

Change 676555 had a related patch set uploaded (by Bharatkhatri; author: Bharatkhatri):

[wikimedia/portals@master] Update/Fix npm dependencies for wikimedia/portals.git

https://gerrit.wikimedia.org/r/676555

Hey @Bharatkhatri351 , It'd be appreciated if you could ask people if they're working on a task already because it creates a room for merge conflicts sometimes. Also, I have been working on this (claimed the task) :)

Hey @Bharatkhatri351 , It'd be appreciated if you could ask people if they're working on a task already because it creates a room for merge conflicts sometimes. Also, I have been working on this (claimed the task) :)

Sorry for this but i was working on this from last some days
btw you should have to ask before submitting a patch..
As you can see my previous comments. i was working on this.
I didn't claimed it doesn't mean i am not working.
Thank you

@Bharatkhatri351
No one claimed this task at the time I started working on it. Plus, you unassigned yourself a few days back.
It is always better to ask first mate :)
Anyhow, I will continue with the work.

btw you should have to ask before submitting a patch..

That's not how we work... :) See also https://www.mediawiki.org/wiki/New_Developers#Communication

@Bharatkhatri351
No one claimed this task at the time I started working on it. Plus, you unassigned yourself a few days back.
It is always better to ask first mate :)
Anyhow, I will continue with the work.

But I have never assigned this task for me i was working on this normally my fault But No worry You can work on it if you have assigned it:)
Go for it ...

btw you should have to ask before submitting a patch..

That's not how we work... :) See also https://www.mediawiki.org/wiki/New_Developers#Communication

Ok @Aklapper
Thanks.
I will keep in mind in future : )

@Tsiruot According to your commit you have worked on gulp css nano dependency and i have worked on differnt dependency i think it will not create any merge conflict. and for future if my patch make any merge conflict. I will surely abondend it :-)

Can I finish fixing the rest of the dependencies?

I am sorry @VrushtiMody , I have already started working on it. However, I'd inform you if I get stuck anywhere, you could give it a shot then.

Hey @VrushtiMody , fixing rest of the dependencies require a larger refactor.

Quoting @Jdrewniak here :

Unfortunately, both of those packages are on the latest version in package.json, so the only way to remove these errors would be to replace these dependencies entirely.
Therefore, I think we can leave this task open for now, since replacing either dependency would require a larger refactor.

If you want, you can go ahead and start working on it.
I won't be working on it for now.

snyk.io/test/npm/gulp-svg-sprite/1.5.0
Leaving this here for your reference.

Change 676549 merged by jenkins-bot:

[wikimedia/portals@master] Replaces deprecated gulp-cssnano with cssnano

https://gerrit.wikimedia.org/r/676549

I am interested in working on this.

Tsiruot added a subscriber: Tsiruot.

Change 676555 merged by jenkins-bot:

[wikimedia/portals@master] Update/Fix npm dependencies for wikimedia/portals.git

https://gerrit.wikimedia.org/r/676555