[data grid] Snyk warning for inflight through exceljs

[jsyvino]

The problem in depth

We recently upgraded our MUI pro license to MUI premium, but after making the code changes our Static Application Security Testing software (Snyk) is now surfacing a vulnerability introduced by @mui/x-data-grid-premium

It seems it is introduced through this path: @mui/x-data-grid-premium@7.4.0 › exceljs@4.4.0 › archiver@5.3.2 › archiver-utils@2.1.0 › glob@7.2.3 › inflight@1.0.6

(I know above it says @mui/x-data-grid-premium@7.4.0, but v7.5.0 also uses exceljs@4.4.0 and this was tested)

Here is the relevant link to the issue in inflight: isaacs/inflight-DEPRECATED-DO-NOT-USE#5

We are unable to use MUI Pro if it does not meet our security requirements and we are unsure how to get around this one.

I am noticing glob v9.0.0 does not have this vulnerability, archiver-utils v5.0.0 does not have this vulnerability, archiver v7.0.0 does not have this vulnerability. Any chance either of those could be pinned on your end? No clue if this is helpful, just sharing what I have found

Your environment

`npx @mui/envinfo`

   System:
    OS: macOS 13.6
  Binaries:
    Node: 18.6.0 - /opt/homebrew/bin/node
    npm: 8.19.2 - /opt/homebrew/bin/npm
    pnpm: Not Found
  Browsers:
    Chrome: 124.0.6367.208
    Edge: Not Found
    Safari: 16.6

Search keywords: inflight@1.0.6, security vulnerability

Duplicates

• https://groups.google.com/a/mui.com/g/security/c/6nR3Cqtl1OI
• https://mui.zendesk.com/agent/tickets/19538

[github-actions]

You have created a support request under the "Priority Support" terms, which is a paid add-on to MUI X Premium ⏰. Please validate your support key using the link below:

https://tools-public.mui.com/prod/pages/jyhs86t?repo=mui-x&issueId=13187

Do not share your support key in this issue!

Priority Support is only provided to verified customers. Once you have verified your support key, we will remove the support: unknown label and add the support: priority label to this issue. Only then the time for the SLA will start counting.

[jsyvino]

Ahh, I misunderstood and thought this was included with the MUI premium license, it looks like our support key is not valid for this

[romgrk]

Fwiw, this vulnerability does not apply in any way to frontend code, it can only affect nodejs HTTP requests, and the code related to it is not shipped in your bundle (I think). We're going to look into the exceljs issue, but this is not a security issue for the datagrid.

[cherniavskii]

Hi @jsyvino
Thanks for raising this issue!

Are you using npm as your package manager?
Can you try adding these overrides to your package.json?

"overrides": {
  "@mui/x-data-grid-premium": {
    "exceljs": {
      "archiver": "7.0.1",
      "unzipper": {
        ".": "0.10.14",
        "fstream": {
          ".": "1.0.12",
          "rimraf": "4.4.1"
        }
      }
    }
  }
}

These overrides upgrade dependencies that have no breaking changes. I tested this in https://github.com/cherniavskii/data-grid-premium-test and the Excel export works fine while the inflight package is not installed:

$ npm ls inflight
data-grid-premium-test@1.0.0 /Users/work/workspace/data-grid-premium-test
└── (empty)

[jsyvino]

@cherniavskii thanks for this, yes this is what we did for now, it just doesn't feel like a great long term solution

[cherniavskii]

@jsyvino This would be the suggested workaround for now.
I tried overriding the dependencies on our side in #13216, but it didn't work. Apparently, these overrides are only applied if they're defined in the project's root package.json.

We are considering forking exceljs: exceljs/exceljs#2764

[mstrater]

My team is also seeing the same issue. I've tried the overrides workaround, but so far haven't had any luck. Even after including the overrides in package.json, clearing node_modules, deleting our lock file, and reinstalling everything, npm ls inflight still reports that it's being used:

weave-mui@1.0.0 /Users/stratem/GitWorkspace/weave-mui
└─┬ @weave-mui/data-grid@1.0.47-beta.0 -> ./packages/data-grid
  └─┬ @mui/x-data-grid-premium@6.20.4 overridden
    └─┬ exceljs@4.4.0 overridden
      └─┬ archiver@5.3.2
        └─┬ archiver-utils@2.1.0
          └─┬ glob@7.2.3
            └── inflight@1.0.6

I'm not very familiar with overrides tho, so if I'm missing something, please let me know.

[cherniavskii]

Hi @mstrater
Where did you put the overrides? I think they will only work if you put them in the root package.json:

Overrides are only considered in the root package.json file for a project
https://docs.npmjs.com/cli/v10/configuring-npm/package-json

[mstrater]

@cherniavskii, I just tried it again and I must have missed that detail. I believe it's working for me now. Sorry to bother!

[Siemienik]

Hi everyone,
I’ve released a version with PR Request to bump version of unzipper to eliminate license concerns as a pre-release version: 4.4.1-prerelease.0.

If no issues are reported with this version, I plan to officially release it as 4.4.1 soon.