Component has multiple warnings with severity 'moderate' via npm audit #3995

iMicknl · 2021-07-19T15:37:46Z

Version

4.14.0 (via NPM)

Describe the bug

In the custom visual that I am developing, it is not allowed to have any npm audit warning of a severity 'moderate' or higher.
It seems that there are a few due to node-fetch and sanitize-html, however I am not able to resolve them via npm audit fix as well. I didn't check the security (CVE) details yet, however I would say that it should be possible to update these dependencies in some way.

When I use npm audit fix --force, it will downgrade botframework-webchat from ^4.14.0 to ^0.15.0. And I haven't been able to understand why, yet... They mention it in the log below as well.

I am not 100% sure if this is an issue in the WebChat, or if I am doing something wrong, but I wonder if this is something someone has seen more often.

Steps to reproduce

git clone https://github.com/iMicknl/powerbi-botframework-chat-transcripts.git
cd powerbi-botframework-chat-transcripts.git
npm audit
See error
npm audit fix
See error
npm audit fix--force

Expected behavior

No severity moderate warning, or a way to resolve them.

Additional context

Issue after npm audit fix

 npm resolution error report

2021-07-19T15:23:28.315Z

Found: [email protected]
node_modules/microsoft-cognitiveservices-speech-sdk
  microsoft-cognitiveservices-speech-sdk@"1.17.0" from [email protected]
  node_modules/botframework-webchat
    botframework-webchat@"^4.14.0" from the root project
  microsoft-cognitiveservices-speech-sdk@"1.17.0" from [email protected]
  node_modules/botframework-directlinespeech-sdk
    botframework-directlinespeech-sdk@"4.14.0" from [email protected]
    node_modules/botframework-webchat
      botframework-webchat@"^4.14.0" from the root project

Could not resolve dependency:
peer microsoft-cognitiveservices-speech-sdk@"~1.15.0" from [email protected]
node_modules/web-speech-cognitive-services
  web-speech-cognitive-services@"7.1.0" from [email protected]
  node_modules/botframework-webchat
    botframework-webchat@"^4.14.0" from the root project
  web-speech-cognitive-services@"7.1.0" from [email protected]
  node_modules/botframework-directlinespeech-sdk
    botframework-directlinespeech-sdk@"4.14.0" from [email protected]
    node_modules/botframework-webchat
      botframework-webchat@"^4.14.0" from the root project

Fix the upstream dependency conflict, or retry
this command with --force, or --legacy-peer-deps
to accept an incorrect (and potentially broken) dependency resolution.

Output of npm audit (which mentions downgrade to 0.15.0)

node-fetch  <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
Denial of Service - https://npmjs.com/advisories/1556
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-fetch
  cross-fetch  <=3.0.5
  Depends on vulnerable versions of node-fetch
  node_modules/cross-fetch
    botframework-directlinejs  0.11.6-master.2a17cd4 - 0.11.6-master.f5db3ed || >=0.12.0
    Depends on vulnerable versions of cross-fetch
    node_modules/botframework-directlinejs
      botframework-webchat  >=0.15.1-master.aeca50e
      Depends on vulnerable versions of botframework-directlinejs
      Depends on vulnerable versions of botframework-webchat-api
      Depends on vulnerable versions of markdown-it-attrs-es5
      Depends on vulnerable versions of sanitize-html
      node_modules/botframework-webchat

sanitize-html  <=2.3.1
Severity: moderate
Improper Input Validation - https://npmjs.com/advisories/1675
Improper Input Validation - https://npmjs.com/advisories/1676
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/sanitize-html
  botframework-webchat  >=0.15.1-master.aeca50e
  Depends on vulnerable versions of botframework-directlinejs
  Depends on vulnerable versions of botframework-webchat-api
  Depends on vulnerable versions of markdown-it-attrs-es5
  Depends on vulnerable versions of sanitize-html
  node_modules/botframework-webchat

21 vulnerabilities (3 low, 18 moderate)

[Bug]

The text was updated successfully, but these errors were encountered:

compulim · 2021-09-08T22:13:32Z

@iMicknl 4.14.1 is out with zero production-hitting vulnerabilities (as of now). 😉

iMicknl · 2021-09-09T06:26:06Z

Thanks @compulim, great work :)!

iMicknl added Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-reported Required for internal Azure reporting. Do not delete. labels Jul 19, 2021

iMicknl changed the title ~~Audit~~ Component has multiple warnings with severity 'moderate' via npm audit Jul 19, 2021

compulim mentioned this issue Jul 20, 2021

[FIRST] Bump dependencies after release of 4.14.0 #3996

Merged

11 tasks

compulim closed this as completed in #3996 Aug 11, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Component has multiple warnings with severity 'moderate' via npm audit #3995

Component has multiple warnings with severity 'moderate' via npm audit #3995

iMicknl commented Jul 19, 2021

compulim commented Sep 8, 2021 •

edited

Loading

iMicknl commented Sep 9, 2021

Component has multiple warnings with severity 'moderate' via npm audit #3995

Component has multiple warnings with severity 'moderate' via npm audit #3995

Comments

iMicknl commented Jul 19, 2021

Version

Describe the bug

Steps to reproduce

Expected behavior

Additional context

compulim commented Sep 8, 2021 • edited Loading

iMicknl commented Sep 9, 2021

compulim commented Sep 8, 2021 •

edited

Loading