portals.git
Closed, ResolvedPublicSecurity
Actions

Assigned To

None

Authored By

	MarcoAurelio
	Sep 11 2020, 10:22 AM

Description

npm audit in rWPOR wikimedia-portals reports 11 vulnerabilities, (7 low, 1 moderate, 3 high).

This task involves running npm audit --fix to fix 7 of them.

The remaining 4 packages should be reviewed to see if they can be updated manually.

Results:

npm audit

                       === npm audit security report ===                        
                                                                                
# Run  npm install --save-dev bundlesize@0.18.1  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bundlesize [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ bundlesize > axios                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1594                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update ini --depth 8  to resolve 5 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bundlesize [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ bundlesize > brotli-size > iltorb > prebuild-install > rc >  │
│               │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > gulp-cli > liftoff > findup-sync > resolve-dir >      │
│               │ global-modules > global-prefix > ini                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > gulp-cli > matchdep > findup-sync > resolve-dir >     │
│               │ global-modules > global-prefix > ini                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-load-plugins [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-load-plugins > findup-sync > resolve-dir >              │
│               │ global-modules > global-prefix > ini                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ini                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint-config-wikimedia [dev]                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint-config-wikimedia > stylelint > global-modules >    │
│               │ global-prefix > ini                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1589                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update github-build --depth 2  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bundlesize [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ bundlesize > github-build > axios                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1594                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/788                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/813                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > mocha > mkdirp > minimist     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1179                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1500                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 11 vulnerabilities (7 low, 1 moderate, 3 high) in 1735 scanned packages

Details

Author Affiliation: Wikimedia Communities

Subject	Repo	Branch	Lines +/-
Update/Fix npm dependencies for wikimedia/portals.git	wikimedia/portals	master	+9 -7
Replaces deprecated gulp-cssnano with cssnano	wikimedia/portals	master	+618 -439
Fix npm dependencies for wikimedia/portals	wikimedia/portals	master	+49 -64
Remove PNG fallback workflow for SVG sprites	wikimedia/portals	master	+4 -1 K

Customize query in gerrit

Related Objects

Mentioned In: T273179: Update the front-page of Wikimedia projects
Mentioned Here: T273179: Update the front-page of Wikimedia projects

Event Timeline

MarcoAurelio created this task.Sep 11 2020, 10:22 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2020, 10:22 AM

MarcoAurelio added projects: Discovery-ARCHIVED, Discovery-Portal-Backlog, Wikimedia-Portals.Sep 11 2020, 10:23 AM

npm audit fix git diff result

[maurelio@ubuntu portals](master)$ git diff
diff --git a/package-lock.json b/package-lock.json
index 27492e46..af0f3c72 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -4126,9 +4126,9 @@
                        }
                },
                "bl": {
-                       "version": "4.0.2",
-                       "resolved": "https://registry.npmjs.org/bl/-/bl-4.0.2.tgz",
-                       "integrity": "sha512-j4OH8f6Qg2bGuWfRiltT2HYGx0e1QcBTrK9KAHNMwMZdQnDZFk0ZSYIpADjYCB3U12nicC5tVJwSIhwOWjb4RQ==",
+                       "version": "4.0.3",
+                       "resolved": "https://registry.npmjs.org/bl/-/bl-4.0.3.tgz",
+                       "integrity": "sha512-fs4G6/Hu4/EE+F75J8DuN/0IpQqNjAdC7aEQv7Qt8MHGUH7Ckv2MwTEEeN9QehD0pfIDkMI1bkHYkKy7xHyKIg==",
                        "dev": true,
                        "requires": {
                                "buffer": "^5.5.0",

Yet 20 remains unsolved. Fix for that at https://gerrit.wikimedia.org/r/c/wikimedia/portals/+/626637

Above patch merged by @Jdforrester-WMF.

Looks like half the gulp world is abandonware now. :-( Maybe we should shift it over to Grunt? Meh.

sbassett moved this task from Incoming to Watching on the Security-Team board.Sep 14 2020, 9:10 PM

Jdrewniak mentioned this in T273179: Update the front-page of Wikimedia projects.Jan 28 2021, 11:48 AM

@Jdrewniak you linked this in T273179 as a microtask but it's private, so most people won't be able to see it. Given that anyone can just run npm audit, any reason not to make this public? It's also all listed at https://libraryupgrader2.wmcloud.org/vulns/npm ...

Since these are all dev dependencies fwict, it's probably not a big deal to make this particular task public. Though there are at least some marginal risks:

gulp (and its vulnerable dependencies) still appears to be used to build various artifacts that end up in production.
while it's trivial to run various security tools against public repos, the confirmation of existing vulnerabilities (which tasks like this implicitly do) for a specific repo does provide an additional layer of convenience for an attacker.

@Legoktm It's true that these vulnerabilities are easily exposed just by running npm audit so I don't see much risk in making this task public.

@sbassett Although Gulp is used to create production artifacts, those are all still manually reviewed prior to merging, and given that the development on this repo is very light, I think any malicious code in those artifacts (e.g. JS) would be visible just by virtue of it being the only change to those files in a long time :P

I have also created a patch which brings down these vulnerabilities from 22 to 11 by removing a PNG fallback workflow, so that should help.

https://gerrit.wikimedia.org/r/c/wikimedia/portals/+/666606

Jdrewniak triaged this task as Medium priority.Feb 24 2021, 12:01 PM

Jdrewniak removed a project: Security.

Jdrewniak added a project: Security.

Jdrewniak added a subscriber: Volker_E.Feb 24 2021, 6:18 PM

sbassett moved this task from Watching to Incoming on the Security-Team board.Feb 26 2021, 8:50 PM

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 1 2021, 4:07 PM

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett moved this task from Incoming to Watching on the Security-Team board.Mar 1 2021, 4:11 PM

RhinosF1 subscribed.Mar 1 2021, 4:34 PM

sbassett added a project: SecTeam-Processed.Mar 1 2021, 4:44 PM

Jdrewniak updated the task description. (Show Details)Mar 11 2021, 12:07 PM

Change 670821 had a related patch set uploaded (by Bharatkhatri; owner: Bharatkhatri):
[wikimedia/portals@master] Fix npm dependencies for wikimedia/portals

https://gerrit.wikimedia.org/r/670821

gerritbot added a project: Patch-For-Review.Mar 11 2021, 1:52 PM

This task involves running npm audit --fix to fix 7 of them.

Fixed 7 of them...using npm audit fix...
how can remaining dependicies can be fixed manually?

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/788                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > mocha > mkdirp > minimist     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

here
svgo is using "js-yaml": "~3.7.0",
mkdirp is using "minimist": "^1.2.5"
yargs is using "yargs-parser": "^18.1.2"
dependencies
These needed to be fixed

@Bharatkhatri351 thank you for the patch!
The offending modules from that output are:

gulp-svg-sprite
gulp-cssnano

Unfortunately, both of those packages are on the latest version in package.json, so the only way to remove these errors would be to replace these dependencies entirely.
Therefore, I think we can leave this task open for now, since replacing either dependency would require a larger refactor.

@Jdrewniak
thats fine..
hope they will be fixed in future..

Change 670821 merged by jenkins-bot:
[wikimedia/portals@master] Fix npm dependencies for wikimedia/portals

https://gerrit.wikimedia.org/r/670821

Maintenance_bot removed a project: Patch-For-Review.Mar 12 2021, 2:11 PM

Iniquity moved this task from Untriaged to CI / Infrastructure on the Wikimedia-Portals board.Mar 13 2021, 3:50 PM

Is this issue open? May I work on it please?

@Helix17: Hi and welcome. Please see the previous comments; for the status see the line below the task summary/title.
What's left in this task is to review the remaining 4 packages to see if they can be updated manually.

In T262658#6932447, @Aklapper wrote:

@Helix17: Hi and welcome. Please see the previous comments; for the status see the line below the task summary/title.
What's left in this task is to review the remaining 4 packages to see if they can be updated manually.

Sure, I will get started. Just wanted to check a few things: this is the repository LINK right?

Change 676549 had a related patch set uploaded (by Ishan Saini; author: Ishan Saini):

[wikimedia/portals@master] Replaces deprecated gulp-cssnano with cssnano

https://gerrit.wikimedia.org/r/676549

gerritbot added a project: Patch-For-Review.Apr 2 2021, 8:51 AM

Tsiruot claimed this task.Apr 2 2021, 8:52 AM

I have fixed two warnings from gulp-cssnano in this patch.
Started working on gulp-svg-sprite now. Hopefully, I will be able to fix it.

# Run  npm update y18n --depth 4  to resolve 2 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ y18n                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > y18n                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1654                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ y18n                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yargs [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yargs > y18n                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1654                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/788                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > mocha > mkdirp > minimist     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Misinterpretation of malicious XML input                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ xmldom                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > xmldom                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1650                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ y18n                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > gulp-cli > yargs > y18n                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1654                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 8 vulnerabilities (3 low, 1 moderate, 4 high) in 1743 scanned packages
  run `npm audit fix` to fix 2 of them.
  6 vulnerabilities require manual review. See the full report for details.

Today when i was running npm audit i observed 8 vulnerabilities some of them are new because of y18n package and i fixed 3 of them and result is

 === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/788                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-cssnano [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-cssnano > cssnano > postcss-svgo > svgo > js-yaml       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > mocha > mkdirp > minimist     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > yargs > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Misinterpretation of malicious XML input                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ xmldom                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg-sprite [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg-sprite > svg-sprite > xmldom                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1650                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 5 vulnerabilities (3 low, 1 moderate, 1 high) in 1743 scanned packages
  5 vulnerabilities require manual review. See the full report for details.

Change 676555 had a related patch set uploaded (by Bharatkhatri; author: Bharatkhatri):

[wikimedia/portals@master] Update/Fix npm dependencies for wikimedia/portals.git

https://gerrit.wikimedia.org/r/676555

Hey @Bharatkhatri351 , It'd be appreciated if you could ask people if they're working on a task already because it creates a room for merge conflicts sometimes. Also, I have been working on this (claimed the task) :)

In T262658#6967502, @Tsiruot wrote:

Hey @Bharatkhatri351 , It'd be appreciated if you could ask people if they're working on a task already because it creates a room for merge conflicts sometimes. Also, I have been working on this (claimed the task) :)

Sorry for this but i was working on this from last some days
btw you should have to ask before submitting a patch..
As you can see my previous comments. i was working on this.
I didn't claimed it doesn't mean i am not working.
Thank you

@Bharatkhatri351
No one claimed this task at the time I started working on it. Plus, you unassigned yourself a few days back.
It is always better to ask first mate :)
Anyhow, I will continue with the work.

btw you should have to ask before submitting a patch..

That's not how we work... :) See also https://www.mediawiki.org/wiki/New_Developers#Communication

In T262658#6967565, @Tsiruot wrote:

@Bharatkhatri351
No one claimed this task at the time I started working on it. Plus, you unassigned yourself a few days back.
It is always better to ask first mate :)
Anyhow, I will continue with the work.

But I have never assigned this task for me i was working on this normally my fault But No worry You can work on it if you have assigned it:)
Go for it ...

In T262658#6967566, @Aklapper wrote:

btw you should have to ask before submitting a patch..

That's not how we work... :) See also https://www.mediawiki.org/wiki/New_Developers#Communication

Ok @Aklapper
Thanks.
I will keep in mind in future : )

@Tsiruot According to your commit you have worked on gulp css nano dependency and i have worked on differnt dependency i think it will not create any merge conflict. and for future if my patch make any merge conflict. I will surely abondend it :-)

Can I finish fixing the rest of the dependencies?

I am sorry @VrushtiMody , I have already started working on it. However, I'd inform you if I get stuck anywhere, you could give it a shot then.

Hey @VrushtiMody , fixing rest of the dependencies require a larger refactor.

Quoting @Jdrewniak here :

Unfortunately, both of those packages are on the latest version in package.json, so the only way to remove these errors would be to replace these dependencies entirely.
Therefore, I think we can leave this task open for now, since replacing either dependency would require a larger refactor.

If you want, you can go ahead and start working on it.
I won't be working on it for now.

snyk.io/test/npm/gulp-svg-sprite/1.5.0
Leaving this here for your reference.

Change 676549 merged by jenkins-bot:

[wikimedia/portals@master] Replaces deprecated gulp-cssnano with cssnano

https://gerrit.wikimedia.org/r/676549

I am interested in working on this.

Tsiruot removed Tsiruot as the assignee of this task.Apr 15 2021, 8:46 AM

Tsiruot subscribed.

Change 676555 merged by jenkins-bot: