Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

'npm audit' reports problems with some node dependencies #17551

Closed
andyjdavis opened this issue May 12, 2021 · 4 comments
Closed

'npm audit' reports problems with some node dependencies #17551

andyjdavis opened this issue May 12, 2021 · 4 comments
Labels
not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced.

Comments

@andyjdavis
Copy link
Contributor

'npm audit' outputs warnings if you are running versions of node modules with known security problems. These are not necessarily exploitable in the context of Matomo but its still nice to tidy them up.

On current 4.x-dev I get the following.

# npm audit report

jquery  <=3.4.1
Severity: high
Cross-Site Scripting - https://npmjs.com/advisories/1518
Cross-Site Scripting (XSS) - https://npmjs.com/advisories/328
Prototype Pollution - https://npmjs.com/advisories/796
fix available via `npm audit fix --force`
Will install jquery@3.6.0, which is a breaking change
node_modules/jquery

materialize-css  *
Severity: moderate
Cross-Site Scripting - https://npmjs.com/advisories/817
No fix available
node_modules/materialize-css

2 vulnerabilities (1 moderate, 1 high)

Expected Behavior

'npm audit' should give Matomo a clean bill of health.

Current Behavior

Warnings about problem dependencies are listed.

Possible Solution

  1. Upgrade jquery to >= 3.6.0 from 2.2.4
  2. materialize-css needs to fix this open issue however a fix has been slow to appear Security question: Use HTML by default for Toasts/Tooltips/Autocomplete and expose an XSS Dogfalo/materialize#6286. Failing that it may be worth seeing if another module can replace it. Or we can just ignore the warning about materialize-css but that doesn't feel great.

As an aside, it appears that the contents of node_modules is in source control in the Matomo repo. Is that just to be absolutely certain of what version of the dependencies are in use?

@andyjdavis andyjdavis added the Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. label May 12, 2021
@Findus23
Copy link
Member

Hi,

Matomo is not affected by the jquery vulnerability (if you can reproduce a security issue, please report it to https://matomo.org/security/). See also #17272

I'm not sure if the materialize-css issues are affecting Matomo (I don't think so), but I guess there is also not much that can be done apart from waiting for the fork to become stable (unless again someone can reproduce a specific security issue affecting Matomo) #16368

@andyjdavis
Copy link
Contributor Author

I would be quite surprised if any of these vulnerabilities were exploitable within Matomo (although its not impossible). Checking for vulnerable node dependencies is just a code hygiene task I do every so often :)

Reading the issue you linked it sounds like the jquery upgrade is already well under way.

@MatomoForumNotifications

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/jquery-vulnerability-in-latest-matamo/46861/2

@sgiehl
Copy link
Member

sgiehl commented Nov 9, 2022

I'll close this one for now. We are regularly checking if known security issues also affect Matomo.
For Matomo 5 we might update some of the dependencies as long as they don't cause any bigger issues.

@sgiehl sgiehl closed this as completed Nov 9, 2022
@elabuwa elabuwa added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Nov 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced.
Projects
None yet
Development

No branches or pull requests

5 participants