@andyjdavis opened this Issue on May 12th 2021 Contributor

'npm audit' outputs warnings if you are running versions of node modules with known security problems. These are not necessarily exploitable in the context of Matomo but its still nice to tidy them up.

On current 4.x-dev I get the following.

# npm audit report

jquery  <=3.4.1
Severity: high
Cross-Site Scripting - https://npmjs.com/advisories/1518
Cross-Site Scripting (XSS) - https://npmjs.com/advisories/328
Prototype Pollution - https://npmjs.com/advisories/796
fix available via `npm audit fix --force`
Will install jquery<a class='mention' href='https://github.com/3'>@3</a>.6.0, which is a breaking change

materialize-css  *
Severity: moderate
Cross-Site Scripting - https://npmjs.com/advisories/817
No fix available

2 vulnerabilities (1 moderate, 1 high)

Expected Behavior

'npm audit' should give Matomo a clean bill of health.

Current Behavior

Warnings about problem dependencies are listed.

Possible Solution

1) Upgrade jquery to >= 3.6.0 from 2.2.4
2) materialize-css needs to fix this open issue however a fix has been slow to appear https://github.com/Dogfalo/materialize/issues/6286. Failing that it may be worth seeing if another module can replace it. Or we can just ignore the warning about materialize-css but that doesn't feel great.

As an aside, it appears that the contents of node_modules is in source control in the Matomo repo. Is that just to be absolutely certain of what version of the dependencies are in use?

@Findus23 commented on May 12th 2021 Member


Matomo is not affected by the jquery vulnerability (if you can reproduce a security issue, please report it to https://matomo.org/security/). See also https://github.com/matomo-org/matomo/issues/17272

I'm not sure if the materialize-css issues are affecting Matomo (I don't think so), but I guess there is also not much that can be done apart from waiting for the fork to become stable (unless again someone can reproduce a specific security issue affecting Matomo) https://github.com/matomo-org/matomo/issues/16368

@andyjdavis commented on May 12th 2021 Contributor

I would be quite surprised if any of these vulnerabilities were exploitable within Matomo (although its not impossible). Checking for vulnerable node dependencies is just a code hygiene task I do every so often :)

Reading the issue you linked it sounds like the jquery upgrade is already well under way.

Powered by GitHub Issue Mirror