Critical vulnerability in socket.io-parser #801

jattasNI · 2022-11-02T14:50:24Z

🧹 Tech Debt

npm audit started failing due to a new critical vulnerability in socket.io-parser. This blocks the main PR workflow.

The package is pulled in by karma and @11y/eleventy:

eleventy has fixed a similar issue in the past but I haven't seen a discussion of this vulnerability yet
karma has an issue to track the vulnerability but no fix yet

npm ls socket.io-parser

├─┬ @ni/[email protected] -> ./packages/nimble-components
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected]
└─┬ @ni/[email protected] -> ./packages/site
  └─┬ @11ty/[email protected]
    └─┬ [email protected]
      ├─┬ [email protected]
      │ └─┬ [email protected]
      │   └── [email protected]
      └─┬ [email protected]
        └── [email protected]

The text was updated successfully, but these errors were encountered:

# Pull Request ## 🤨 Rationale As described in #801 we have a vulnerability that is causing `npm audit` to fail the PR build, preventing submissions. ## 👩‍💻 Implementation Comment out the audit step that's failing. We'll use the bug linked above to track re-enabling it. ## 🧪 Testing PR build ## ✅ Checklist  - [x] I have updated the project documentation to reflect my changes or determined no changes are needed.

rajsite · 2024-03-07T17:55:35Z

@fredvisser does Snyk replace the functionality that npm audit provided? If so then the action for this issue is to remove the audit steps from main.yml. Marking as "discussion" to see if we can make this issue go away.

fredvisser · 2024-03-13T17:39:19Z

Snyk doesn't support monorepos by default, so isn't picking up any of the package specific package.json files. So the current setup isn't good enough.
While they have a CLI flag that will find the other package.json files, we're using a web hook which doesn't appear to expose the option.

We could switch to a their Github Action or we could add the Github Dependency Review Action which would keep the workflow entirely with Github.

# Pull Request ## 🤨 Rationale #801 highlighted that our current use of `npm audit` is brittle. This action should elevate any issues tracked by Github to the PR. ## 👩‍💻 Implementation - Use the example config file from https://github.com/actions/dependency-review-action?tab=readme-ov-file - I'll remove the Snyk integration when this PR goes in ## 🧪 Testing This PR only highlights the packages that are changed (the Github Actions), but since the [Github dependency graph](https://github.com/ni/nimble/network/dependencies) sees our other NPM dependencies, I expect this will evaluate package.json issues when a PR has those changes in it. I could add known bad issues to this PR to validate, or we could just submit this and validate over time. ## ✅ Checklist  - [x] I have updated the project documentation to reflect my changes or determined no changes are needed.

rajsite · 2024-03-26T17:36:31Z

Fixed in #1930

rajsite · 2024-03-26T17:42:12Z

@fredvisser looking at the dependency review check instructions it says to check the following page: https://github.com/ni/nimble/security/dependabot

where there I see non-dismissed critical vulns, but it doesn't look like dependency review check is complaining about those, see build:
https://github.com/ni/nimble/actions/runs/8439038563

and log:
https://github.com/ni/nimble/actions/runs/8439038563/job/23112684298#step:3:8

Edit: Ohhh, it maybe is only detecting dependency changes based on the README: https://github.com/actions/dependency-review-action?tab=readme-ov-file#dependency-review-action

So that's great and it might be working fine. I'll re-close the issue

jattasNI added tech debt triage New issue that needs to be reviewed labels Nov 2, 2022

jattasNI mentioned this issue Nov 2, 2022

Temporarily disable npm audit of dev dependencies #802

Merged

1 task

nate-ni added this to Nimble Design System Priorities Nov 3, 2022

m-akinc removed the triage New issue that needs to be reviewed label Nov 8, 2022

jattasNI mentioned this issue Jul 18, 2023

Update dependencies to latest supported #1361

Merged

1 task

m-akinc moved this to Backlog in Nimble Design System Priorities Oct 25, 2023

jattasNI moved this from Backlog to In progress in Nimble Design System Priorities Mar 7, 2024

rajsite assigned fredvisser Mar 7, 2024

rajsite added discussion Questions, conversations, or announcements triage New issue that needs to be reviewed and removed discussion Questions, conversations, or announcements labels Mar 7, 2024

m-akinc removed the triage New issue that needs to be reviewed label Mar 12, 2024

fredvisser added the discussion Questions, conversations, or announcements label Mar 13, 2024

fredvisser mentioned this issue Mar 13, 2024

Add dependency review check #1930

Merged

1 task

rajsite closed this as completed Mar 26, 2024

rajsite reopened this Mar 26, 2024

rajsite closed this as completed Mar 26, 2024

m-akinc moved this from In progress to Done in Nimble Design System Priorities Mar 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Critical vulnerability in socket.io-parser #801

Critical vulnerability in socket.io-parser #801

jattasNI commented Nov 2, 2022

rajsite commented Mar 7, 2024

fredvisser commented Mar 13, 2024

rajsite commented Mar 26, 2024

rajsite commented Mar 26, 2024 •

edited

Loading

Critical vulnerability in socket.io-parser #801

Critical vulnerability in socket.io-parser #801

Comments

jattasNI commented Nov 2, 2022

🧹 Tech Debt

rajsite commented Mar 7, 2024

fredvisser commented Mar 13, 2024

rajsite commented Mar 26, 2024

rajsite commented Mar 26, 2024 • edited Loading

rajsite commented Mar 26, 2024 •

edited

Loading