Preact-cli: yarn audit fails due to cli dependency `size-plugin`.

Created on 12 Jan 2021 · 10Comments · Source: preactjs/preact-cli

Do you want to request a _feature_ or report a _bug_?
Bug

What is the current behaviour?
Dependency from preact-cli, size-plugin, cause yarn audit to fail from an axios vulnerability.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ preact-cli                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ preact-cli > size-plugin > axios                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1594                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

If the current behaviour is a bug, please provide the steps to reproduce.

What is the expected behaviour?

yarn audit should be passed

If this is a feature request, what is motivation or use case for changing the behaviour?

Please mention other relevant information.

Please paste the results of preact info here.

Environment Info:
System:
OS: macOS 10.15.7
CPU: (8) x64 Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz
Binaries:
Node: 14.8.0 - /usr/local/bin/node
Yarn: 1.22.4 - /usr/local/bin/yarn
npm: 6.14.7 - /usr/local/bin/npm
Browsers:
Chrome: 87.0.4280.141
Firefox: 80.0.1
Safari: 14.0.1

Source

harrier-lcc

👍1

Most helpful comment

The PR to fix this upstream has been merged in, so the "vulnerability" should be gone. Closing this.

Let me know if anyone is still having issues. You might need to regen your lock files.

rschristian on 30 Jan 2021

❤1 👍1

All 10 comments

What gives you the impression that size-plugin isn’t used? Definitely is: https://github.com/preactjs/preact-cli/blob/master/packages/cli/lib/lib/webpack/webpack-client-config.js#L7

As that’s a build time dependency it really shouldn’t be a concern. This would be totally unconnected to your app. Feel free to submit a PR though.

rschristian on 12 Jan 2021

What gives you the impression that size-plugin isn’t used? Definitely is: https://github.com/preactjs/preact-cli/blob/master/packages/cli/lib/lib/webpack/webpack-client-config.js#L7

As that’s a build time dependency it really shouldn’t be a concern. This would be totally unconnected to your app. Feel free to submit a PR though.

Oh, the issue is I see package.json is missing that, and from the history of the yarn.lock it seems it was in package.json before. This makes me feel it is no longer required since the dependency is removed from package.json.

harrier-lcc on 12 Jan 2021

What? It's definitely in the package.json too, right here: https://github.com/preactjs/preact-cli/blob/master/packages/cli/package.json#L125

This is a mono-repo, top level package.json isn't a package itself, just a collection of tools. Each individual packages lives in /packages/{x}. In the CLI's case, that's /packages/cli

rschristian on 12 Jan 2021

What? It's definitely in the package.json too, right here: https://github.com/preactjs/preact-cli/blob/master/packages/cli/package.json#L125

This is a mono-repo, top level package.json isn't a package itself, just a collection of tools. Each individual packages lives in /packages/{x}. In the CLI's case, that's /packages/cli

Oops, I must be blind to not see this 🙈

Let me change the description of this quickly

Thanks for your quick reply :)

harrier-lcc on 12 Jan 2021

👍1

I have tried to fix this in size-plugin itself but not much activity going on over there: https://github.com/GoogleChromeLabs/size-plugin/pull/34 - and there is a Travis check which I don't know how to fix, unfortunately, so that might also be why nobody is looking at it :)

Mentioning this for reference.

Edit: The travis check is now fixed.

sebkolind on 27 Jan 2021

@sebastianks Thanks for that. You should be able to manually patch the CLI here if you'd like.

rschristian on 27 Jan 2021

Hey @rschristian 👋 I would love to, but I am not sure how you go about that here? Do you allow using a patched version on my branch of size-plugin, or editing the yarn.lock (shouldn't) file directly, or how is your procedure?

sebkolind on 28 Jan 2021

By that I meant editing your yarn.lock file manually, yes. I know it says not to, but you definitely can do that and it makes sense to do if this is causing you issues. It's just a single dep, it's safe.

I don't think we'd merge that in here, as this is just a build time dep we're talking about (so the "vulnerability" is totally irrelevant and has no effect) but you can do it for your own projects.

rschristian on 28 Jan 2021

The PR to fix this upstream has been merged in, so the "vulnerability" should be gone. Closing this.

Let me know if anyone is still having issues. You might need to regen your lock files.

rschristian on 30 Jan 2021

❤1 👍1

Thanks @rschristian

sebkolind on 1 Feb 2021

Was this page helpful?

0 / 5 - 0 ratings