Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace or fix lit static analysis tool #2449

Open
jcscottiii opened this issue Nov 8, 2022 · 0 comments
Open

Replace or fix lit static analysis tool #2449

jcscottiii opened this issue Nov 8, 2022 · 0 comments
Labels
bug

Comments

@jcscottiii
Copy link
Collaborator

jcscottiii commented Nov 8, 2022
edited
Loading

Currently, we use lit-analyzer to static analysis of the lit components.

However, during the upgrade, fastnode was accedentally removed when running npm audit fix --force because it used a vulnerable version of glob-parent

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/lit-analyzer/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/lit-analyzer/node_modules/fast-glob
    lit-analyzer  0.0.7 - 1.2.1
    Depends on vulnerable versions of fast-glob
    node_modules/lit-analyzer

There is a long standing issue to publish the new version.
In the meantime, we can override the glob-parent dependency as seen here melink14/rikaikun#1101

UPDATE There is an issue with npm install and npm ci not working correctly with overrides:

Short term

If those two issues are fixed above (which means overrides are honored 100% of the time), vulnerabilities will be fixed. Otherwise, we will need to solve this issue and the #2383 issue because they contribute to the remaining vulnerabilities.
Luckily, these are build tools.

We have to weigh using vulnerable build tools vs having a broken build tool. I will put a PR together for the former.

Long term

Long term, there is this first party lit analyzer coming. We should probably use that when it is ready.
@jcscottiii jcscottiii added the bug label Nov 8, 2022
jcscottiii added a commit that referenced this issue Nov 8, 2022
@jcscottiii
Bump lit-analyzer and add fastglob
e64a953 
fastglob will add a vulnerability.
The vulnerability would be prevented if overrides were honored
But currently, there is an npm bug and `npm ci` will be broken.
More details in #2449

Since it only affects the build tools, it's a low risk vulnerability.
@jcscottiii jcscottiii mentioned this issue Nov 8, 2022
Merged
jcscottiii added a commit that referenced this issue Nov 8, 2022
@jcscottiii
Bump lit-analyzer and add fastglob (#2450)
560c143 
fastglob will add a vulnerability.
The vulnerability would be prevented if overrides were honored
But currently, there is an npm bug and `npm ci` will be broken.
More details in #2449

Since it only affects the build tools, it's a low risk vulnerability.
@past past mentioned this issue May 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jcscottiii