Parcel: High node-forge security vulnerability

Created on 16 Oct 2020 · 7Comments · Source: parcel-bundler/parcel

🐛 bug report

node-forge < 0.10.0 has a high severity security vulnerability

🎛 Configuration (.babelrc, package.json, cli command)

package.json:

{
  "dependencies": {
     "parcel": "^1.12.4"
  }
}

🤔 Expected Behavior

No audit failures

😯 Current Behavior

Running npm install and then npm audit gives the following output:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution in node-forge                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-forge                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 0.10.0                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parcel                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parcel > node-forge                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1561                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 746 scanned packages
  1 vulnerability requires manual review. See the full report for details.

💁 Possible Solution

Upgrade to node-forge >= 0.10.0

🌍 Your Environment

| Software | Version(s) |
| ---------------- | ---------- |
| Parcel | 1.12.4
| Node | 12.16.1
| npm/Yarn | npm 6.14..8
| Operating System | MacOS

Source

paulbrimicombe

👍4

Most helpful comment

Please provide the fix for v1

mmikhalko on 25 Nov 2020

👍6

All 7 comments

This has already been reported, and fixed in Parcel 2.

This is also not a high vulnerability, npm just flagged this incorrectly... as usual

DeMoorJasper on 16 Oct 2020

👎4 👀1

Thanks for the quick response @DeMoorJasper

This has already been reported, and fixed in Parcel 2.

AFAIK parcel 2 is currently not currently stable — npm lists it as being in the first beta and so this "fix" is not currently released.

Do you have a deprecation plan for Parcel 1? You will have to support both versions for a period of time while users migrate. It is good practice to apply security fixes / patches for a grace period while people migrate their code.

This is also not a high vulnerability, npm just flagged this incorrectly... as usual

Hmm. Synk has it listed as high as well — https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677 . What is your source for saying it has been "flagged incorrectly"?

Even if the vulnerability is not high it's good practice to avoid _all_ security vulnerabilities if possible.

I've upgraded node-forge and run all of the parcel tests and everything seems fine. If I raise a PR has is there any chance it will be merged?

paulbrimicombe on 16 Oct 2020

👍3

@paulbrimicombe my source for it not being as severe as flagged is the changelog of node-forge, it was an unused legacy util... we definitely don't use it in Parcel. Hopefully npm will start doing proper code analysis at some point (now that they've been acquired by GitHub) to stop wasting time with these false positive warnings.

The chance of something getting merged into Parcel 1 is small, @devongovett is the only person who can push to npm so he's the only one who can fix this. I've brought this up internally but haven't received any response to that so seems unlikely.

The CI for Parcel 1 is very broken, so a PR wouldn't really help a lot unfortunately. We kinda messed up when trying to merge Parcel 1 and Parcel 2 into one branch.

DeMoorJasper on 16 Oct 2020

👀2

The chance of something getting merged into Parcel 1 is small, @devongovett is the only person who can push to npm so he's the only one who can fix this. I've brought this up internally but haven't received any response to that so seems unlikely.
The CI for Parcel 1 is very broken, so a PR wouldn't really help a lot unfortunately. We kinda messed up when trying to merge Parcel 1 and Parcel 2 into one branch.

We have other issues with Parcel 1 at the moment that are causing us problems (e.g. https://github.com/parcel-bundler/parcel/issues/2921 which has other people asking for the fix in 1.x). Is there really no way to get this fixed? Can I help with fixing the 1.x build pipeline?

paulbrimicombe on 16 Oct 2020

👍2 🚀1

The CI for Parcel 1 is very broken, so a PR wouldn't really help a lot unfortunately. We kinda messed up when trying to merge Parcel 1 and Parcel 2 into one branch.

Is it correct that this means Parcel 1 is no longer supported?

torotil on 7 Nov 2020

😕9 👀1 👎1

Please provide the fix for v1

mmikhalko on 25 Nov 2020

👍6

This is a high severity vulnerability. Projects should ALWAYS aim to reduce attack surface. A little hole here, an other one there... and one ends up trying to navigate the seas of the internetz on a colander.