Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[BUG] Inconsistent audit json with minimal example #7896

Open
2 tasks done
cd-dev-ge opened this issue Nov 7, 2024 · 1 comment
Open
2 tasks done

[BUG] Inconsistent audit json with minimal example #7896

cd-dev-ge opened this issue Nov 7, 2024 · 1 comment
Labels
Bug thing that needs fixing Priority 2 secondary priority issue

Comments

@cd-dev-ge
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "copy-webpack-plugin": {
      "name": "copy-webpack-plugin",
      "severity": "high",
      "isDirect": true,
      "via": [
        "serialize-javascript"
      ],
      "effects": [],
      "range": "4.3.0 - 5.1.1",
      "nodes": [
        "node_modules/copy-webpack-plugin"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "5.1.2",
        "isSemVerMajor": false
      }
    },
    "serialize-javascript": {
      "name": "serialize-javascript",
      "severity": "high",
      "isDirect": false,
      "via": [
        {
          "source": 1095131,
          "name": "serialize-javascript",
          "dependency": "serialize-javascript",
          "title": "Insecure serialization leading to RCE in serialize-javascript",
          "url": "https://github.com/advisories/GHSA-hxcc-f52p-wc94",
          "severity": "high",
          "cwe": [
            "CWE-502"
          ],
          "cvss": {
            "score": 8.1,
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
          },
          "range": "<3.1.0"
        }
      ],
      "effects": [
        "copy-webpack-plugin"
      ],
      "range": "<3.1.0",
      "nodes": [
        "node_modules/serialize-javascript"
      ],
      "fixAvailable": {
        "name": "copy-webpack-plugin",
        "version": "5.1.2",
        "isSemVerMajor": false
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 2,
      "critical": 0,
      "total": 2
    },
    "dependencies": {
      "prod": 103,
      "dev": 0,
      "optional": 0,
      "peer": 68,
      "peerOptional": 0,
      "total": 170
    }
  }
}

See how the property via in copy-webpack-plugin contains an array of strings and in serialize-javascript contains an array of complex objects.

Expected Behavior

Either both contain only the references or both contain the full objects.

Steps To Reproduce

  1. In Windows 11 with Node.js 23
  2. use the following file and run the following commands

project.json

{
  "main": "index.js",
  "private": true,
  "license": "UNLICENSED",
  "dependencies": {
     "copy-webpack-plugin": "5.1.1"
  }
}

then run:

npm update --save
npm audit --json

Environment

  • npm: 10.9.0
  • Node.js: v23.1.0
  • OS Name: Windows 11
  • npm config:
; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\<USER>\\AppData\\Roaming\\npm"

; "user" config from C:\Users\<USER>\.npmrc

//<URL>/npm/registry/:_password = (protected)
//<URL>/npm/registry/:email = (protected)
//<URL>/npm/registry/:username = (protected)

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v23.1.0
; npm local prefix = C:\dev\MyProject
; npm version = 10.9.0
; cwd = C:\dev\MyProject
; HOME = C:\Users\<USER>
; Run `npm config ls -l` to show all defaults.
@cd-dev-ge cd-dev-ge added Bug thing that needs fixing Needs Triage needs review for next steps labels Nov 7, 2024
@cd-dev-ge
Copy link
Author

Additionally serialize-javascript contains itself in its via property.

@kchindam-infy kchindam-infy self-assigned this Nov 8, 2024
@kchindam-infy kchindam-infy added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels Nov 8, 2024
@kchindam-infy kchindam-infy removed their assignment Nov 8, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Bug thing that needs fixing Priority 2 secondary priority issue
Projects
None yet
Development

No branches or pull requests

2 participants