Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] npm audit fix --force installs a vulnerable version of puppeteer #7599

Closed
2 tasks done
TiAlRo opened this issue Jun 18, 2024 · 8 comments
Closed
2 tasks done

[BUG] npm audit fix --force installs a vulnerable version of puppeteer #7599

TiAlRo opened this issue Jun 18, 2024 · 8 comments
Labels
Bug thing that needs fixing Cannot Reproduce

Comments

@TiAlRo
Copy link

TiAlRo commented Jun 18, 2024

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

The command npm audit fix --force installs [email protected], which depends on a vulnerable version of ws, namely 8.9.0.

Expected Behavior

The command npm audit fix --force should show there is no version of puppeteer without vulnerability.

Steps To Reproduce

  1. Run npm i puppeteer
  2. Run npm audit fix --force

Environment

  • npm: 10.8.1
  • Node.js: v21.2.0
  • OS Name: Windows 10.0.19045
  • System Model Name: Precision Tower 3620
@TiAlRo TiAlRo added Bug thing that needs fixing Needs Triage needs review for next steps labels Jun 18, 2024
@TiAlRo TiAlRo changed the title [BUG] <title> [BUG] npm audit fix --force installs a vulnerable version of puppeteer Jun 18, 2024
@TiAlRo
Copy link
Author

TiAlRo commented Jun 18, 2024

This problem existed when there was no [email protected] published yet. Now I don't know how to reproduce it anymore.

@milaninfy
Copy link
Contributor

@TiAlRo I am not able to reproduce this issue. Without proper reproduction steps it's not feasible to identify the cause of the issue if there are any.

@milaninfy
Copy link
Contributor

Closing due to age. If this is still a problem please feel free to reopen this issue, or create a new issue w/ steps to reproduce.

@milaninfy milaninfy closed this as not planned Won't fix, can't repro, duplicate, stale Jun 28, 2024
@TiAlRo
Copy link
Author

TiAlRo commented Aug 22, 2024

I can reproduce the behaviour:

  1. Run npm i npm-audit-vulnerability-bug2
  2. Run npm audit fix --force

The command installs [email protected], which is vulnerable.

The bug #6079 describes the same behaviour.

@TiAlRo
Copy link
Author

TiAlRo commented Aug 23, 2024

@milaninfy, can you reopen this bug? Thx.

@milaninfy
Copy link
Contributor

It does update to 0.0.1 but it also shows that this version is also vulnerable due to it's dependencies. if you run fix one more time it updates it to 0.0.0 which I believe is not vulnerable.

~/workarea/rep $ npm i npm-audit-vulnerability-bug2

added 8 packages, and audited 9 packages in 1s

1 package is looking for funding
  run `npm fund` for details

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
~/workarea/rep $ npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating npm-audit-vulnerability-bug2 to 0.0.1, which is a SemVer major change.

changed 1 package, and audited 9 packages in 753ms

1 package is looking for funding
  run `npm fund` for details

# npm audit report

micromatch  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/micromatch
  npm-audit-vulnerability-bug  *
  Depends on vulnerable versions of micromatch
  node_modules/npm-audit-vulnerability-bug
    npm-audit-vulnerability-bug2  >=0.0.1
    Depends on vulnerable versions of npm-audit-vulnerability-bug
    node_modules/npm-audit-vulnerability-bug2

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
~/workarea/rep $ npm ls
[email protected] /Users/milaninfy/workarea/rep
└── [email protected]

~/workarea/rep $ npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating npm-audit-vulnerability-bug2 to 0.0.0, which is a SemVer major change.

removed 7 packages, changed 1 package, and audited 2 packages in 684ms

found 0 vulnerabilities
~/workarea/rep $ npm audit            
found 0 vulnerabilities

@TiAlRo
Copy link
Author

TiAlRo commented Aug 28, 2024

When I run fix, I expect to have no vulnerability anymore instead of having to run it another time.

@TiAlRo
Copy link
Author

TiAlRo commented Aug 28, 2024

I published now the package [email protected] and unpublished the version 0.0.0. After installing the version 0.0.3, the command npm audit fix --force installs the version 0.0.1. Running the command npm audit fix --force again, the version 0.0.3 is reinstalled, which leads to a cycle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Cannot Reproduce
Projects
None yet
Development

No branches or pull requests

2 participants