Jest: Security issue: please update Acorn
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular Expression Denial of Service
Package acorn
Patched in >=7.1.1
Dependency of jest [dev]
Path jest > @jest/core > @jest/reporters > jest-runtime >
jest-config > jest-environment-jsdom > jsdom > acorn-globals
> acorn
More info https://npmjs.com/advisories/1488
Moderate Regular Expression Denial of Service
Package acorn
Patched in >=7.1.1
Dependency of jest [dev]
Path jest > jest-cli > @jest/core > @jest/reporters >
jest-runtime > jest-config > jest-environment-jsdom > jsdom
> acorn-globals > acorn
More info https://npmjs.com/advisories/1488
Moderate Regular Expression Denial of Service
Package acorn
Patched in >=7.1.1
Dependency of jest [dev]
Path jest > @jest/core > jest-runner > jest-jasmine2 >
jest-runtime > jest-config > jest-environment-jsdom > jsdom
> acorn-globals > acorn
More info https://npmjs.com/advisories/1488
Moderate Regular Expression Denial of Service
Package acorn
Patched in >=7.1.1
Dependency of jest [dev]
Path jest > jest-cli > @jest/core > jest-runner > jest-jasmine2 >
jest-runtime > jest-config > jest-environment-jsdom > jsdom
> acorn-globals > acorn
More info https://npmjs.com/advisories/1488
Moderate Regular Expression Denial of Service
Package acorn
Patched in >=7.1.1
Dependency of jest [dev]
Path jest > @jest/core > jest-runner > jest-runtime > jest-config
> jest-environment-jsdom > jsdom > acorn-globals > acorn
More info https://npmjs.com/advisories/1488
[...snip...]
Pomax
All 10 comments
I believe the root issue is with acorn-globals, which is has an acorn v6 dependency in the package.json.
The latest jsdom package.json depends on acorn-globals v4.3.4 which is the latest release. The overall jest ecosystem depends on jsdom, so it gets dragged into this mess.
hjr3
on 7 Mar 2020
When the dependency of _jsdom_ is upgraded from ^15.1.1 to ^16.2.0 (see https://github.com/facebook/jest/blob/master/packages/jest-environment-jsdom/package.json#L18) then the indirect dependency of _acorn_ will be ^7.1.0 (instead of ^6.1.1). Finally 7.1.1 has the security fix.
juergenzimmermann
on 7 Mar 2020
For anyone having this:
yarn add ForbesLindesay/acorn-globals#greenkeeper/acorn-7.1.1
# or if in monorepo setup
yarn add -W ForbesLindesay/acorn-globals#greenkeeper/acorn-7.1.1
# or npm
npm i ForbesLindesay/acorn-globals#greenkeeper/acorn-7.1.1
Until https://github.com/ForbesLindesay/acorn-globals/pull/50 or https://github.com/ForbesLindesay/acorn-globals/pull/56 (@EmmaGoodliffe's) get merged.
tunnckoCore
on 7 Mar 2020
FWIW [email protected] is published.
tunnckoCore
on 8 Mar 2020
jsdom 16.2.1 is released and acorn is upgraded to 7.1.1
https://github.com/jsdom/jsdom/blob/master/package.json#L24
Thanks
railsstudent
on 10 Mar 2020
@railsstudent Can you please help me with the steps to fix this issue?
pratiksawant10
on 10 Mar 2020
Upgrading JSDOM is a breaking change, so it won't be done until the next major. You can use jest-environment-jsdom-sixteen if you want to use a version of JSDOM without the "vulnerability", but npm will still complain as Jest itself depends on jsdom@15 and will for the duration of jest@25.
This is yet another case of npm complaining about regex dos attacks against a dev dependency, so 0% chance of it being exploited 馃し鈥嶁檪
SimenB
on 10 Mar 2020
That said, I'm not getting this warning?
$ docker run -it node:13-alpine sh -c 'mkdir dir; cd dir; npm init -y; npm i -D jest; npm audit'
Wrote to /dir/package.json:
{
"name": "dir",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.2 (node_modules/jest-haste-map/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN [email protected] No description
npm WARN [email protected] No repository field.
+ [email protected]
added 486 packages from 285 contributors and audited 1203821 packages in 23.344s
23 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
=== npm audit security report ===
found 0 vulnerabilities
in 1203821 scanned packages
@SimenB Together with the "kind-of" dependency vulnerability mentioned in https://github.com/facebook/jest/issues/9648 (which is closed as duplicate), it looks a bit different in our project:
found 39465 vulnerabilities (39451 low, 14 moderate) in 1223109 scanned packages
Where almost all results are coming from jest. Two days ago it were 0 vulnerabilities.
RiZKiT
on 10 Mar 2020
The fix was backported to acorn 6.4.1 here. At the time of this writing, new installs should not have any reported vulns.
If you have an existing install, make sure you are using the latest version of jest 25.1.0. You can run npm audit fix or whatever the yarn equivalent is.
I believe this issue should now be closed.
hjr3
on 10 Mar 2020
Related issues
vitalibozhko
路
138Comments
sterpe
路
70Comments
maraisr
路
77Comments
bookman25
路
79Comments
calebmer
路
72Comments
Most helpful comment
FWIW
[email protected]is published.