Security Vulnerabilities (node-forge + normalize-url)

[CONeal]

Hi Guys,

regarding to a WhiteSource Report, there are still two security vulnerabilities open in the 1.5.0 version of Brigadier. Both as a dependency of @kubernetes/client-node@0.10.3.

`-- @brigadecore/brigadier@1.5.0
  `-- @kubernetes/client-node@0.10.3
    `-- openid-client@2.5.0
      +-- got@8.3.2
      | `-- cacheable-request@2.1.4
      |   `-- normalize-url@2.0.1
      `-- node-jose@1.1.4
        `-- node-forge@0.8.5

[krancour]

@CONeal thanks for the heads up, but I'm confused. Examining yarn list list or even directly examining the yarn.lock file, I cannot see that either of these packages are being used.

Is it possible you can provide more detail on how you're finding this information? Obviously, we'd like to act on it if there is a real issue.

[CONeal]

@krancour I can see this informationen, when I build up the dependency tree from our project. We are using npm and filtering the list with npm list normalize-url node-forge displays the tree above.

The WhiteSource report itself will be created within an Azure Pipeline using a specific task.

[krancour]

I have tried all of the following and am not able to see any indications that the vulnerable packages you have referenced are dependencies of brigadier:

$ git clone git@github.com:brigadecore/brigadier.git
$ cd brigadier
$ yarn list | grep normalize-url
$ yarn list | grep node-forge
$ grep normalize-url yarn.lock
$ grep node-forge yarn.lock

Since it appears that you are using npm and not yarn, I also tried the following and still could not reproduce your results:

$ npm install # to generare package-lock.json
$ npm list normalize-url
$ npm list node-forge
$ grep normalize-url package-lock.json
$ grep node-forge package-lock.json

If you can send me exact steps to reproduce your results, I would be happy to try them.

[CONeal]

Starting a new project from scratch will produce the same dependency tree. It seems that these dependencies are only required when using brigadier in another project.

$ npm init # init new project, all settings on default
$ npm install @brigadecore/brigadier@1.5.0
$ npm list normalize-url
$ npm list node-forge

I don't know if this might also affect the dependencies, but currently I'm using npm version 6.14.15.

[krancour]

Following those instructions, I can finally reproduce your results, even using the latest npm or yarn.

This is perplexing to me. I do not understand why additional dependencies are getting pulled in in this scenario.

I will investigate this further after the holidays.

Thank you so much for bringing this to our attention and providing the steps to reproduce!