Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

chore(deps): update vulnerable dependencies #2273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kittaakos merged 1 commit into main from dependabot
Nov 9, 2023
Merged

chore(deps): update vulnerable dependencies #2273

kittaakos merged 1 commit into main from dependabot
Nov 9, 2023

Conversation

@kittaakos
Copy link
Contributor

@kittaakos kittaakos commented Nov 2, 2023
edited
Loading

Motivation

To fix security issues.

Change description

Other information

TODOs:
@kittaakos will verify:

  • the correctness of the @theia/cli (for @babel/traverse@7.23.2),
  • the cloud sketches feature in IDE2 (for crypto-js@4.2.0),

@rhpco, please help with the security review. Thank you! If all works correctly, IDE2 will be down to zero security alerts.

Current behavior:

% yarn audit
yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ Babel vulnerable to arbitrary code execution when compiling │
│ │ specifically crafted malicious code │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ @babel/traverse │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=7.23.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @theia/cli │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @theia/cli > @theia/application-manager > @babel/core > │
│ │ @babel/traverse │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1094446 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ Babel vulnerable to arbitrary code execution when compiling │
│ │ specifically crafted malicious code │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ @babel/traverse │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=7.23.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @theia/cli │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @theia/cli > @theia/application-manager > @babel/core > │
│ │ @babel/helpers > @babel/traverse │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1094446 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ crypto-js PBKDF2 1,000 times weaker than specified in 1993 │
│ │ and 1.3M times weaker than current standard │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ crypto-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.2.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ arduino-ide-extension │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ arduino-ide-extension > auth0-js > idtoken-verifier > │
│ │ crypto-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1094468 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical │ crypto-js PBKDF2 1,000 times weaker than specified in 1993 │
│ │ and 1.3M times weaker than current standard │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ crypto-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.2.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ electron-app │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ electron-app > arduino-ide-extension > auth0-js > │
│ │ idtoken-verifier > crypto-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1094468 │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 2046
Severity: 4 Critical
✨ Done in 1.95s.

Expected behavior:

% yarn audit
yarn audit v1.22.19
0 vulnerabilities found - Packages audited: 2046
✨ Done in 2.26s.

GitHub Advisory Database refs:

Upstream: eclipse-theia/theia#13024

Reviewer checklist

  • PR addresses a single concern.
  • The PR has no duplicates (please search among the Pull Requests before creating one)
  • PR title and description are properly filled.
  • Docs have been added / updated (for bug fixes / features)

@kittaakos kittaakos added the topic: security Related to the protection of user data label Nov 2, 2023
@kittaakos kittaakos self-assigned this Nov 2, 2023 
- Forced the resolution of `@babel/traverse@7.23.2` brought in by
`@theia/cli`. (eclipse-theia/theia#13024)
- Updated to `auth0-js@9.21.3` to transitively pull `crypto-js@4.2.0` in
with the security fixes.
GitHub Advisory Database refs:
 - GHSA-67hx-6x53-jw92
 - GHSA-xwcq-pm8m-c4vf
Signed-off-by: Akos Kitta <a.kitta@arduino.cc>
Copy link

@rhpco rhpco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@per1234 per1234 added topic: infrastructure Related to project infrastructure type: imperfection Perceived defect in any part of project labels Nov 3, 2023
Copy link
Contributor Author

@kittaakos will verify:

  • the correctness of the @theia/cli (for @babel/traverse@7.23.2),
  • the cloud sketches feature in IDE2 (for crypto-js@4.2.0),

It's working with 2.2.2-snapshot-f7c6da3.

Copy link
Contributor

@francescospissu francescospissu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@kittaakos kittaakos merged commit 22a69f7 into main Nov 9, 2023
@kittaakos kittaakos deleted the dependabot branch November 9, 2023 10:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@francescospissu francescospissu francescospissu approved these changes

@per1234 per1234 Awaiting requested review from per1234

+1 more reviewer

@rhpco rhpco rhpco approved these changes

Reviewers whose approvals may not affect merge requirements

Labels

topic: infrastructure Related to project infrastructure topic: security Related to the protection of user data type: imperfection Perceived defect in any part of project

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /