NPM audit issues in Sails

[nathaniel-watson-ctg-com]

The latest version of sails has a variety of issues listed under NPM audit.

• There are 4 deprecation warnings, 1 of which references a memory leak issue.
• There are 7 vulnerabilities listed, 2 being moderate and 5 being high.

The 7 vulnerabilities come from 3 out-of-date packages, 1 of which is introduced via Express.

For context, I found this by creating a new project and running "npm init" followed by "npm install sails", to ensure no other packages were contaminating the results. To make things easier, the commands I ran and their output are specified at the bottom of this ticket.

I'm not using Grunt or any of the database adapters, so I've listed those as non-applicable below.

---

Node version: v18.14.0

Sails version (sails): 1.5.11

ORM hook version (sails-hook-orm): N/A ?

Sockets hook version (sails-hook-sockets): N/A

Organics hook version (sails-hook-organics): N/A

Grunt hook version (sails-hook-grunt): N/A

Uploads hook version (sails-hook-uploads): N/A

DB adapter & version (e.g. sails-mysql@5.55.5): N/A

Skipper adapter & version (e.g. skipper-s3@5.55.5): N/A

---

D:\temp>mkdir sailsTest

D:\temp>cd sailsTest

D:\temp\sailsTest>npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.

See `npm help init` for definitive documentation on these fields
and exactly what they do.

Use `npm install <pkg>` afterwards to install a package and
save it as a dependency in the package.json file.

Press ^C at any time to quit.
package name: (sailstest)
version: (1.0.0)
description:
entry point: (index.js)
test command:
git repository:
keywords:
author:
license: (ISC)
About to write to D:\temp\sailsTest\package.json:

{
  "name": "sailstest",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}


Is this OK? (yes)

D:\temp\sailsTest>npm install sails
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.1.2: Glob versions prior to v9 are no longer supported

added 248 packages, and audited 249 packages in 20s

17 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (2 moderate, 5 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

D:\temp\sailsTest>npm audit
# npm audit report

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix --force`
Will install sails@0.12.14, which is a breaking change
node_modules/body-parser
  express  <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express
    sails  *
    Depends on vulnerable versions of express
    Depends on vulnerable versions of path-to-regexp
    Depends on vulnerable versions of router
    Depends on vulnerable versions of serve-static
    node_modules/sails


path-to-regexp  <=0.1.9 || 0.2.0 - 1.8.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install sails@0.12.14, which is a breaking change
node_modules/express/node_modules/path-to-regexp
node_modules/path-to-regexp
node_modules/router/node_modules/path-to-regexp
  router  1.0.0-beta.1 - 2.0.0-beta.2
  Depends on vulnerable versions of path-to-regexp
  node_modules/router

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install sails@0.12.14, which is a breaking change
node_modules/send
node_modules/serve-static/node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/express/node_modules/serve-static
  node_modules/serve-static


7 vulnerabilities (2 moderate, 5 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

D:\temp\sailsTest>notepad.exe package.json

D:\temp\sailsTest>node --version
v18.14.0

D:\temp\sailsTest>

[sailsbot]

@nathaniel-watson-ctg-com Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

• look for a workaround. (Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)
• tell us why this issue is important to you and your team. What are you trying to accomplish? (Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)
• make sure you've provided clear instructions on how to reproduce the bug from a clean install.
• double-check that you've provided all of the requested version and dependency information. (Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)
• read the code of conduct.
• if appropriate, ask your business to sponsor your issue. (Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)
• let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. (Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)

---

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

[nathaniel-watson-ctg-com]

According to the NPM audit results, there is an updated version of send available, so that one should be fixable.

Version 4.21.0 of express seems to fix the body-parser bug.

The newest version of path-to-regexp is 8.1.0. That should fix the vulnerability, but it'll be a big jump.

I'm not sure what to do about the deprecation warnings.

[senpai-notices]

#7347 and #7348 already takes care of this.

[senpai-notices]

This is now in the latest release.

[nathaniel-watson-ctg-com]

Update: As of version 1.5.12, all of these except for the deprecation warnings have been fixed. If there's already another ticket for those as well, I will close this as a duplicate ticket.