Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Security Issues of Nodemon #2121

Closed
venkateswarlumadala opened this issue Jul 6, 2023 · 5 comments
Closed

Security Issues of Nodemon #2121

venkateswarlumadala opened this issue Jul 6, 2023 · 5 comments

Comments

@venkateswarlumadala
Copy link

venkateswarlumadala commented Jul 6, 2023
edited
Loading

I am getting the issues while trying running/building Docker due to nodemon version ---2.0.22. I tried all the recent versions of nodemon but nothing works. the error shows as below.

docker-compose --env-file=./.compose/.compose.local up --build

[+] Building
=> load build definition from Dockerfile
=> => transferring dockerfile:
=> load .dockerignore
=> CACHED WORKDIR /usr/src/app
=> CACHED COPY package.json ./
=> RUN npm install
=> ERROR RUN npm audit fix --force

RUN npm audit fix --force:
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating nodemon to 1.14.9,which is a SemVer major change.
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated chokidar@1.7.0: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.

added 235 packages, removed 4 packages, changed 15 packages, and audited 474 packages in 12s

28 packages are looking for funding

run npm fund for details

npm audit report

braces <2.3.1
Regular Expression Denial of Service (ReDoS) in braces - GHSA-cwfw-4gq5-mrqx
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon

glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch

got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
Depends on vulnerable versions of semver
node_modules/package-json
latest-version 3.0.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
Depends on vulnerable versions of semver-diff
node_modules/update-notifier
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/package-json/node_modules/semver
node_modules/semver-diff/node_modules/semver
package-json <=6.5.0
Depends on vulnerable versions of got
Depends on vulnerable versions of semver
node_modules/package-json
latest-version 3.0.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
Depends on vulnerable versions of semver-diff
node_modules/update-notifier
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon
semver-diff <=3.1.1
Depends on vulnerable versions of semver
node_modules/semver-diff

undefsafe <2.0.3
Severity: moderate
Prototype Pollution in undefsafe - GHSA-332q-7ff2-57h2
fix available via npm audit fix --force
Will install nodemon@1.19.4, which is outside the stated dependency range
node_modules/undefsafe
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of undefsafe
Depends on vulnerable versions of update-notifier
node_modules/nodemon

14.28 15 vulnerabilities (2 low, 7 moderate, 6 high)

To address all issues, run:

npm audit fix --force

failed to solve: process "/bin/sh -c npm audit fix --force" did not complete successfully: exit code: 1
The terminal process "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -Command npm run build_local" terminated with exit code: 1.

Terminal will be reused by tasks, press any key to close it.

I am using the below versions of node, npm, nodemon as below

$ node -v
v16.16.0

$ npm -v
npm WARN config global --global, --local are deprecated. Use --location=global instead.
9.7.2

$ nodemon -v
2.0.22

my project package.json file as shown below

{
"name": "some-x123",
"version": "1.0.0",
"description": "",
"main": "index.js",
"dependencies": {
"express": "^4.18.2",
"express-session": "^1.17.3",
"bcryptjs": "^2.4.3",
"cookie-parser": "^1.4.6",
"cookie-session": "^2.0.0",
"cors": "^2.8.5",
"dotenv": "^16.3.1",
"nodemon": "^2.0.22"
},
"scripts": {
"test": "echo "Error: no test specified" && exit 1",
"start": "nodemon --legacy-watch index.js",
"build_local": "docker-compose --env-file=./.compose/.compose.local up --build",
"start_local": "docker-compose --env-file=./.compose/.compose.local up",
"stop_local": "docker-compose --env-file=./.compose/.compose.local -f "docker-compose.yml" down",
},
"author": "",
"license": "ISC"
}

my docker file I am using as below

FROM node: xx-version

WORKDIR xx/xx/xx

COPY package.json ./

RUN npm install -g nodemon
RUN npm install
RUN npm audit fix --force

ADD . .

EXPOSE port-xx

RUN printenv

CMD [ "npm", "run", "start" ]
@Ratstail91
Copy link

Hi! I'm not involved with this project - but I've found that adding this to your package.json will fix things:

 "overrides": {
    "semver": "^7.5.2"
  }

Here's an example in one of my projects: https://github.com/krgamestudios/auth-server/blob/main/package.json

The cause of this is that semver's version hasn't been updated in nodemon yet, so it's still depending on an older version - thankfully, forcing the version to be updated appears to work correctly, though your mileage may vary.

@venkateswarlumadala venkateswarlumadala closed this as not planned Won't fix, can't repro, duplicate, stale Jul 6, 2023
@venkateswarlumadala
Copy link
Author

@Ratstail91 thanks for your valuable information. I already tried this but this not worked for my case

@mStirner
Copy link

mStirner commented Jul 6, 2023

Same issue

# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install nodemon@1.14.9, which is a breaking change
node_modules/nodemon/node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
  nodemon  1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of simple-update-notifier
  node_modules/nodemon
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Installed nodemon v2.0.22 and got the same security audit issue with semver.
Why is semver not update from 5.7.1 to 7.5.2

@fluentmoheshwar
Copy link

Even though this issue got fixed! #2119 but @remy didn't publish new version in npm yet. The last version is 2.0.22 which was released 4 months ago and have this vulnerability.

@remy
Copy link
Owner

remy commented Jul 8, 2023

Actually, github hasn't published it yet, not me!

I don't know why it's stuck in a queue, but I'll look at it once the week starts as I'm keen to get the release done. Closing in lieu of that 👍

@remy remy closed this as completed Jul 8, 2023
@Ericlm Ericlm mentioned this issue Sep 22, 2023
Closed
3 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@remy @Ratstail91 @mStirner @venkateswarlumadala @fluentmoheshwar