Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High vulnerability in dicer used by @expo/multipart-body-parser #20225

Open
emilhdiaz opened this issue Nov 26, 2022 · 4 comments
Open

High vulnerability in dicer used by @expo/multipart-body-parser #20225

emilhdiaz opened this issue Nov 26, 2022 · 4 comments
Assignees
@wschurman
Labels
Issue accepted

Comments

@emilhdiaz
Copy link

Summary

npm|yarn audit report that there is a High vulnerability present in the version of dicer used by @expo/multipart-body-parser. This package is a dependency of the EAS CLI package, but I presume that @expo/multipart-body-parser is part of the Expo SDK not the EAS CLI, hence the bug report here.

yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Crash in HeaderParser in dicer                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dicer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eas-cli                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eas-cli > @expo/multipart-body-parser > dicer                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1070480                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

What platform(s) does this occur on?

Not Applicable

Environment

expo-env-info 1.0.5 environment info:
  System:
    OS: macOS 12.5.1
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 16.16.0 - ~/.nvm/versions/node/v16.16.0/bin/node
    Yarn: 1.22.19 - ~/.nvm/versions/node/v16.16.0/bin/yarn
    npm: 8.19.2 - ~/.nvm/versions/node/v16.16.0/bin/npm
  Managers:
    CocoaPods: 1.11.3 - /opt/homebrew/bin/pod
  SDKs:
    iOS SDK:
      Platforms: DriverKit 22.1, iOS 16.1, macOS 13.0, tvOS 16.1, watchOS 9.1
  IDEs:
    Xcode: 14.1/14B47b - /usr/bin/xcodebuild
  npmPackages:
    expo: ^46.0.16 => 46.0.17 
    react: 18.0.0 => 18.0.0 
    react-dom: ~18.0.0 => 18.0.0 
    react-native: 0.69.6 => 0.69.6 
    react-native-web: ^0.18.7 => 0.18.10 
  npmGlobalPackages:
    eas-cli: 2.7.1
    expo-cli: 6.0.8
  Expo Workflow: managed

Minimal reproducible example

Install EAS CLI

yarn add eas-cli

followed by an audit

yarn audit
@emilhdiaz emilhdiaz added the needs validation Issue needs to be validated label Nov 26, 2022
@brentvatne
Copy link
Member

We resolve npm warnings whenever we can, and usually this means upgrading or switching dependencies, but we don't always have control over this. Sometimes a package has moved to a new name and made breaking changes at the same time, for example dropping support for a specific Node version that we support in eas-cli. Usually the warnings you see are from distant downstream dependencies, eg: eas-cli depends on package a which depends on x which depends on y which depends on z. we have to wait for a to update their dependency on x which results in updating y and z.

Basically every non-trivial package in the Node ecosystem will come with messages like this on install due to the unfortunate way that unactionable warnings are exposed to users. Some tools use ncc to vendor the dependencies, which essentially hides the warnings but the underlying code is basically the same.

We update dependencies whenever it makes sense to, and we do that frequently. These warnings will not interfere with your usage of eas-cli :)

Read more: https://overreacted.io/npm-audit-broken-by-design/

@brentvatne brentvatne reopened this Nov 29, 2022
@brentvatne
Copy link
Member

It looks like this particular dependency is actionable for us in this case, although it's low priority because there is no way for anyone to actually exploit this vulnerability given usage of the library.

@brentvatne brentvatne added Issue accepted and removed needs validation Issue needs to be validated labels Nov 29, 2022
@expo-bot
Copy link
Collaborator

Thank you for filing this issue!
This comment acknowledges we believe this may be a bug and there’s enough information to investigate it.
However, we can’t promise any sort of timeline for resolution. We prioritize issues based on severity, breadth of impact, and alignment with our roadmap. If you’d like to help move it more quickly, you can continue to investigate it more deeply and/or you can open a pull request that fixes the cause.

@emilhdiaz
Copy link
Author

@brentvatne thanks for the analysis and the explanation!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wschurman wschurman

Labels
Issue accepted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brentvatne @wschurman @emilhdiaz @expo-bot