Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in dependency http-server opener #22206

Closed
1 of 4 tasks
m-wagner98 opened this issue Mar 7, 2024 · 3 comments
Closed
1 of 4 tasks

Vulnerability in dependency http-server opener #22206

m-wagner98 opened this issue Mar 7, 2024 · 3 comments
Assignees
@jaysoo
Labels
blocked: third-party outdated scope: bundlers Issues related to webpack, rollup type: bug

Comments

@m-wagner98
Copy link

Current Behavior

The OWASP dependency check tool reports a known vulnerability in the @nx/[email protected] package.
Vuln: CVE-2022-43604.
There is an issue on the http-server project side: http-party/http-server#860 which is still open.

Expected Behavior

The package should not have any known vulnerabilities, especially no with Base Score: CRITICAL (9.8).

GitHub Repo

No response

Steps to Reproduce

  1. Have an nx workspace where the following dependency is present in the package.json: "@nx/webpack": "18.0.7"
  2. Perform a OWASP dependency check vulnerability scan.
  3. Inspect the report of the scan --> The project contains known vulnerabilities in sub dependencies. With the help of npm ls I could see where the vulnerable package came from:
    username@pc-name % npm ls opener
    @app/[email protected]
    └─┬ @nx/[email protected]
    └─┬ [email protected]
    └── [email protected]

Nx Report

Node   : 21.6.2
OS     : darwin-arm64
npm    : 10.2.4

nx                 : 18.0.7
@nx/js             : 18.0.7
@nx/jest           : 18.0.7
@nx/linter         : 18.0.7
@nx/eslint         : 18.0.7
@nx/workspace      : 18.0.7
@nx/angular        : 18.0.7
@nx/cypress        : 18.0.7
@nx/devkit         : 18.0.7
@nx/eslint-plugin  : 18.0.7
@nx/nest           : 18.0.7
@nx/node           : 18.0.7
@nrwl/tao          : 18.0.7
@nx/web            : 18.0.7
@nx/webpack        : 18.0.7
typescript         : 5.3.3
---------------------------------------
Community plugins:
@ionic/angular : 7.7.3

Failure Logs

No response

Package Manager Version

No response

Operating System

  • macOS
  • Linux
  • Windows
  • Other (Please specify)

Additional Information

No response
@m-wagner98 m-wagner98 changed the title Vulnerability in dependency hhtp-server opener Vulnerability in dependency http-server opener Mar 7, 2024
@FrozenPandaz FrozenPandaz added the scope: bundlers Issues related to webpack, rollup label Mar 15, 2024
@jaysoo
Copy link
Member

jaysoo commented Jun 5, 2024

Is there actually a vulnerability here? The CVE linked mentions the "EIP Stack Group OpENer" project, specifically this commit: EIPStackGroup/OpENer@58ee13c.

This has nothing to do with the opener npm package, and might be a mistake by the scanner. If you run npm audit on projects using @nx/webpack you won't see any mentions of opener.

@jaysoo
Copy link
Member

jaysoo commented Jun 5, 2024

Closing this since it's not relevant. If this is a mistake please re-open with concrete examples of what the vulnerability is.

@jaysoo jaysoo closed this as completed Jun 5, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 6, 2024

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jaysoo jaysoo

Labels
blocked: third-party outdated scope: bundlers Issues related to webpack, rollup type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jaysoo @FrozenPandaz @m-wagner98