SST v1 dependency on zip local which depends on very old and Serverless Stack #sst

Join Slack

SST v1 dependency on zip-local, which depends on v...

# sst

Adam Fanello

05/04/2022, 3:56 PM

SST v1 dependency on zip-local, which depends on very old and vulnerable packages. 🧵

Adam Fanello

05/04/2022, 3:56 PM

Copy code

# npm audit report

async  <2.6.4
Severity: high
Prototype Pollution in async - <https://github.com/advisories/GHSA-fwr7-v2mv-hh25>
fix available via `npm audit fix --force`
Will install @serverless-stack/resources@0.4.5, which is a breaking change
node_modules/zip-local/node_modules/async
  zip-local  *
  Depends on vulnerable versions of async
  node_modules/zip-local
    @serverless-stack/resources  >=0.5.0
    Depends on vulnerable versions of zip-local
    node_modules/@serverless-stack/resources
      @serverless-stack/cli  >=0.5.0
      Depends on vulnerable versions of @serverless-stack/resources
      node_modules/@serverless-stack/cli

jszip  <3.7.0
Severity: moderate
Prototype Pollution - <https://github.com/advisories/GHSA-jg8v-48h5-wgxg>
fix available via `npm audit fix`
node_modules/jszip

Adam Fanello

05/04/2022, 3:56 PM

package-lock.json

Copy code

"node_modules/zip-local": {
      "version": "0.3.5",
      "resolved": "<https://registry.npmjs.org/zip-local/-/zip-local-0.3.5.tgz>",
      "integrity": "sha512-GRV3D5TJY+/PqyeRm5CYBs7xVrKTKzljBoEXvocZu0HJ7tPEcgpSOYa2zFIsCZWgKWMuc4U3yMFgFkERGFIB9w==",
      "dev": true,
      "dependencies": {
        "async": "^1.4.2",
        "graceful-fs": "^4.1.3",
        "jszip": "^2.6.1",
        "q": "^1.4.1"
      }
    },

thdxr

05/04/2022, 3:56 PM

we should remove this but also I think this should be a devDependency

Adam Fanello

05/04/2022, 3:58 PM

SST is entirely dev dependency, but security vulnerabilities during builds is still a vulnerability - and NPM still nags about it upon every install.

thdxr

05/04/2022, 4:18 PM

I have some repo hygiene work coming up in the next few weeks and I'll include this

thdxr

05/04/2022, 4:18 PM

going to rework how we do all our builds

Richard Simpson

05/04/2022, 5:40 PM

Staying closer to the CDK and being free of security warnings are my two big SST wishes, dependency wise haha

thdxr

05/04/2022, 5:43 PM

Staying closer to the CDK

thdxr

05/04/2022, 5:43 PM

^ what do you mean by this?

thdxr

05/04/2022, 5:43 PM

oh in terms of version?

Richard Simpson

05/04/2022, 8:28 PM

Yes, sorry! Doesn't need to be same day necessarily, but generally being in alignment with the latest version would make dependency managemnt and consuming new features a lot easier

Open in Slack

Previous Next