Bug Report: npm 6 vulnerabilities (1 low, 3 moderate, 2 high)

[amacado]

Bug

We're using dependencies which have known vulnerabilities.

found 6 vulnerabilities (1 low, 3 moderate, 2 high) in 585 scanned packages
  run `npm audit fix` to fix 2 of them.
  1 vulnerability requires semver-major dependency updates.
  3 vulnerabilities require manual review. See the full report for details.

How to replicate the bug

Checkout develop branch and execute npm install. Use npm audit for details about the vulnerabilities.

git checkout develop
npm install
npm audit

=== npm audit security report ===                        
                                                                                
# Run  npm install --save-dev gulp-sass@5.0.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
                                                                                
  High            Regular Expression Denial of Service                                                                                                         
  Package         trim-newlines                                                                                                                                
  Dependency of   gulp-sass [dev]                                                                                                                               
  Path            gulp-sass > node-sass > meow > trim-newlines                                                                                                  
  More info       https://npmjs.com/advisories/1753                             
 
# Run  npm update y18n --depth 5  to resolve 1 vulnerability                                                                              
  High            Prototype Pollution                                                                                                                          
  Package         y18n                                                                                                                                          
  Dependency of   gulp-sass [dev]                                               
  Path            gulp-sass > node-sass > sass-graph > yargs > y18n                                                                                             
  More info       https://npmjs.com/advisories/1654                             
                                                                               
# Run  npm update chokidar --depth 2  to resolve 1 vulnerability                                                                               
  Moderate        Regular expression denial of service                                                                                                          
  Package         glob-parent                                                                                                                                   
  Dependency of   sass [dev]                                                                                                                               
  Path            sass > chokidar > glob-parent                                                                                                               
  More info       https://npmjs.com/advisories/1751                             
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                               
  Low             Prototype Pollution                                                                                                                         
  Package         yargs-parser                                                                                                                                 
  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2                                                                                             
  Dependency of   gulp [dev]                                                                                                                                    
  Path            gulp > gulp-cli > yargs > yargs-parser                                                                                                       
  More info       https://npmjs.com/advisories/1500                                                                                                            
                                                                                
  Moderate        Regular expression denial of service                                                                                                          
  Package         glob-parent                                                                                                                                   
  Patched in      >=5.1.2                                                                                                                                       
  Dependency of   gulp [dev]                                                                                                                                    
  Path            gulp > glob-watcher > chokidar > glob-parent                                                                                              
  More info       https://npmjs.com/advisories/1751                             
                                                                                                                                                              
  Moderate        Regular expression denial of service                                                                                                         
  Package         glob-parent                                                                                                                        
  Patched in      >=5.1.2                                                                                                                                       
  Dependency of   gulp [dev]                                                                                                                    
  Path            gulp > vinyl-fs > glob-stream > glob-parent                                                                                                  
  More info       https://npmjs.com/advisories/1751    

Possible Fixes/Solutions

Some of the vulnerabilities can be auto-fixed using npm audit fix, other need manual review.

[Thomas-Boi]

This is due to gulp-sass and the sass compiler. Let me take a look into this

[Thomas-Boi]

I'm looking into this and upgrading gulp managed to fix 2 moderate and 1 severe issues.
Here're the remaining issues:

 Low             Prototype Pollution                                           

  Package         yargs-parser                                                  

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2              

  Dependency of   gulp [dev]                                                    

  Path            gulp > gulp-cli > yargs > yargs-parser                        

  More info       https://npmjs.com/advisories/1500                             


  Moderate        Regular expression denial of service                          

  Package         glob-parent                                                   

  Patched in      >=5.1.2                                                       

  Dependency of   gulp [dev]                                                    

  Path            gulp > glob-watcher > chokidar > glob-parent                  

  More info       https://npmjs.com/advisories/1751                             


  Moderate        Regular expression denial of service                          

  Package         glob-parent                                                   

  Patched in      >=5.1.2

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-stream > glob-parent

  More info       https://npmjs.com/advisories/1751

found 3 vulnerabilities (1 low, 2 moderate) in 442 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

I've upgraded gulp to its newest version but this hasn't addressed the issue. However, as long as the gulp task is used by the bot only, we won't have to worry about issues stated above.

If we are very concerned about the issue, we can switch to another build tool like Webpack. However, I'd prefer not to do that since I'll have to redo many things from scratch.

The fixes are on my local repo. I'll push it after I tested a proper build, which first require me to fix socketio as seen in #766

[Thomas-Boi]

Please don't close this issue manually. This is left open to see whether merging a commit with the issue number in it will close an issue