Botkit: Upgrade botbuilder dependency to v4.x.x to clear npm audit warnings

Created on 2 Oct 2018  路  10Comments  路  Source: howdyai/botkit

Version of botkit installed - 0.16.16
Operating system - N/A

Summary

npm audit after installing botkit shows that there are 4 security issues. 3 of them can be resolved by updating botbuilder.

Some extra details

I was setting up botkit for the first time and npm threw me a few security warning after I ran npm install botkit --save. When I checked npm audit I received the following results. 

npm audit --production

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   botkit

  Path            botkit > botbuilder > jsonwebtoken > joi > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   botkit

  Path            botkit > botbuilder > jsonwebtoken > joi > topo > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Out-of-bounds Read

  Package         base64url

  Patched in      >=3.0.0

  Dependency of   botkit

  Path            botkit > botbuilder > base64url

  More info       https://nodesecurity.io/advisories/658


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   botkit

  Path            botkit > vorpal > inquirer > lodash

  More info       https://nodesecurity.io/advisories/577

found 4 vulnerabilities (1 low, 3 moderate) in 7048 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

Happy to switch this report over to json format if it helps.

I investigated the chain of dependencies to see at which point each dependency updated its references to hoek to remove the security issue. The results are:

  • botbuilder - Removed jsonwebtoken in v4.0.6
  • jsonwebtoken - Removed joi as a dependency entirely and then bumped the maintained line to v8. An attempt was made in the past to upgrade joi but was rolled back due to breaking changes.
  • joi - Seems to have updated hoek dependency in v8.1.0. jsonwebtoken depends on ^v6.10.1
  • topo - Updated to a safe version of hoek in v2.0.1 which included this commit. jsonwebtoken depends on v1.10.0

I included this chain in case its helpful to decide whether the botkit project needs to change its dependencies or whether any of the projects on the dependency tree need a PR to help resolve this issue.

This is my first time submitting an issue to a big project so feedback is welcome on making better issue submissions 馃槃

Microsoft-Bot Framework-related bug next_release
Source
picture kiriappeee
👍6

Most helpful comment

We're going to get this upgraded to work with v4 in the next rev.

picture benbrown on 23 Oct 2018
👍3

All 10 comments

I've never used botbuilder, but I looked into this thinking that it could be easy to upgrade.

I was wrong, BotBuilder integration is based on ChatConnector which seems to be missing in v4.
So a full rewrite is necessary.
@Stevenic As original author and the only contributor to BotFramework.js, are you going to upgrade it to work with BotBuilder v4?

Naktibalda picture Naktibalda on 18 Oct 2018

We're going to get this upgraded to work with v4 in the next rev.

benbrown picture benbrown on 23 Oct 2018
👍3

@benbrown Looks like this didn't happen in the latest release, v0.7.0 - https://github.com/howdyai/botkit/blob/master/changelog.md#070
Is there still a plan to get this upgraded and remove the security warnings?

alistairjcbrown picture alistairjcbrown on 17 Dec 2018

Yes lots of BOTBUILDER love coming soon!

benbrown picture benbrown on 17 Dec 2018
🎉1

Could we get an ETA please? Github is flagging our project due to hoek vulnerability. I am unable to manually use v4 of botbuilder, I think botkit is not letting me do it. After reading @Naktibalda I realized why it wouldn't let me do that.

tjs-git picture tjs-git on 18 Dec 2018

botkit 0.7 seem to be working fine with botbuilder v4 just tested it. Ignore my previous comment. Thanks!

tjs-git picture tjs-git on 18 Dec 2018

It is working fine if you aren't actually using botbuilder in your bot.
The best solution would be to separate all different network integrations to separate npm modules.

Naktibalda picture Naktibalda on 18 Dec 2018

Ah, that makes sense.

tjs-git picture tjs-git on 18 Dec 2018

@Naktibalda we're planning to do that in the not too distant future.

I'm also trying to get a new version of BotBuilder v3 published that has these dependencies updated.

benbrown picture benbrown on 18 Dec 2018

I published a new version of BotBuilder this morning that clears up these security issues.

I also published a new version of Botkit! 0.7.2 should no longer complain about these out of date packages.

benbrown picture benbrown on 23 Jan 2019
🎉2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JonnyBoy333 picture JonnyBoy333  路  3Comments
GautierT picture GautierT  路  3Comments
Abgaryan picture Abgaryan  路  3Comments
liornaar picture liornaar  路  3Comments
dfischer picture dfischer  路  4Comments