Dependecy vulnerabilities

[darkerazul]

Hello,

My team was tasked to deploy this agent in several places, but on our due diligence before deploying, we scanned the code's dependencies with Black Duck, and found that there are a few dependencies that may introduce risk with the agent. These components have available packages for upgrades, but the concern is that the ones listed below, have exploit PoCs associated. I would like to start a discussion on the plan for upgrading these:
Critical:

• node-fetch: versions 1.7.3 and 2.6.1 were identified. Origin: npmjs - node-fetch/1.7.3 and node-fetch/2.6.1. Base score: 10 for CVE-2022-0235. Both identified versions are transitive. This version is vulnerable to the disclousure of sentive information due leacked cookie headers.

High:

• set-value: version 2.0.1 was identified. Origin: npmjs - set-value/2.0.1. Two BDSA were identified for this version, BDSA-2019-4362 and BDSA-2021-2911, with a base score of 9.8 and 9.3 respectively. This is a transitive dependency. This version is vulnerable to prototype pollution due to inproper input valiation.
• nth-check: version 6.0.5 was identified. Origin: npmjs - nth-check/1.0.2. Base score 7.5 for CVE-2021-3803 This is a transitive dependency.
• Underscore.js: version 1.9.1 was identified. Origin: npmjs - underscore/1.9.1. CVSS base score 8.1 for CVE-2021-23358. This is a transitive dependency. The Javascript library contains an arbitrary code execution vulnerability.

[scudette]

These dependencies are used either by the development server (node-fetch) or by the react web app.

For the react web app the attack surface is much lower (it runs in the browser with equal permissions as the user). Many of these CVEs are simply not exploitable because they run within the context of the browser on known code (for example we dont use template function of underscore so that CVE is not applicable, we dont issue user controlled regex on anything so slow regex are just not a threat at all).

For the react web app we look carefully at XSS/CSRF/XSSI etc as actual real threats - those npm "vulnerabilities" do not represent real issues and chasing them just takes resources away from real issues.

npm is well know for a lot of nonsensical false positives - here are some more discussions about this https://overreacted.io/npm-audit-broken-by-design/ we really need to look at each of these warnings carefully to decide if they apply to us (usually they do not).

We also have a Snyk project to help with these dependencies a bit and help upgrade when it is possible but generally it is not always possible to always upgrade all dependencies quickly - many of these are transitory.