Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability with cross-spawn dependency - severity high #58

Open
iamkevinv opened this issue Nov 21, 2024 · 1 comment
Open

Vulnerability with cross-spawn dependency - severity high #58

iamkevinv opened this issue Nov 21, 2024 · 1 comment

Comments

@iamkevinv
Copy link

iamkevinv commented Nov 21, 2024
edited
Loading

Just raising the advisory here about the ReDoS vuln reported via npm audit, hoping to get a package update to @prisma/internals@^5.22.0 and @prisma/generator-helper@^5.22.0

The advisory details were:

cross-spawn 7.0.0 - 7.0.4
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - GHSA-3xgq-45jj-v275
@iamkevinv iamkevinv changed the title Vulnerability with cross-spawn dependency - severity high Vulnerability with cross-spawn dependency from @prisma/internals - severity high Nov 21, 2024
@iamkevinv iamkevinv changed the title Vulnerability with cross-spawn dependency from @prisma/internals - severity high Vulnerability with cross-spawn dependency - severity high Nov 21, 2024
iamkevinv added a commit to iamkevinv/prisma-dbml-generator that referenced this issue Nov 21, 2024
@iamkevinv
vulns: fix npm audit warnings for issue notiz-dev#58
599fe60
@iamkevinv
Copy link
Author

iamkevinv commented Nov 21, 2024
edited
Loading

Started prepping a PR, but noticed npm run dev was throwing type errors that i'm not familiar with how to resolve immediately, though all the tests are passing. Sorry i'm not sure how to proceed.

> [email protected] dev
> tsc -p . && npm run prisma:generate

node_modules/@prisma/fetch-engine/dist/getProxyAgent.d.ts:1:32 - error TS2307: Cannot find module 'http-proxy-agent' or its corresponding type declarations.

1 import { HttpProxyAgent } from 'http-proxy-agent';
                                 ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/fetch-engine/dist/getProxyAgent.d.ts:2:33 - error TS2307: Cannot find module 'https-proxy-agent' or its corresponding type declarations.

2 import { HttpsProxyAgent } from 'https-proxy-agent';
                                  ~~~~~~~~~~~~~~~~~~~

node_modules/@prisma/get-platform/dist/test-utils/jestContext.d.ts:3:32 - error TS2307: Cannot find module 'fs-jetpack/types' or its corresponding type declarations.

3 import type { FSJetpack } from 'fs-jetpack/types';
                                 ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/engine-commands/getEnginesMetaInfo.d.ts:2:20 - error TS2307: Cannot find module 'fp-ts/Either' or its corresponding type declarations.

2 import * as E from 'fp-ts/Either';
                     ~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/engine-commands/getEnginesMetaInfo.d.ts:3:20 - error TS2307: Cannot find module 'fp-ts/Option' or its corresponding type declarations.

3 import * as O from 'fp-ts/Option';
                     ~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/engine-commands/getEngineVersion.d.ts:2:21 - error TS2307: Cannot find module 'fp-ts/TaskEither' or its corresponding type declarations.

2 import * as TE from 'fp-ts/TaskEither';
                      ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/engine-commands/queryEngineCommons.d.ts:1:21 - error TS2307: Cannot find module 'fp-ts/TaskEither' or its corresponding type declarations.

1 import * as TE from 'fp-ts/TaskEither';
                      ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/get-generators/generatorResolvers/prisma-client-js/auto-installation/getPackageCmd.d.ts:1:25 - error TS2307: Cannot find module '@antfu/ni' or its corresponding type declarations.

1 import { Command } from '@antfu/ni';
                          ~~~~~~~~~~~

node_modules/@prisma/internals/dist/resolveBinary.d.ts:2:21 - error TS2307: Cannot find module 'fp-ts/TaskEither' or its corresponding type declarations.

2 import * as TE from 'fp-ts/TaskEither';
                      ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/tracing/types.d.ts:1:49 - error TS2307: Cannot find module '@opentelemetry/api' or its corresponding type declarations.

1 import type { Context, Span, SpanOptions } from '@opentelemetry/api';
                                                  ~~~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/utils/fs-functional.d.ts:1:20 - error TS2307: Cannot find module 'fp-ts/lib/Task' or its corresponding type declarations.

1 import * as T from 'fp-ts/lib/Task';
                     ~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/utils/fs-functional.d.ts:2:21 - error TS2307: Cannot find module 'fp-ts/lib/TaskEither' or its corresponding type declarations.

2 import * as TE from 'fp-ts/lib/TaskEither';
                      ~~~~~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/utils/tryLoadEnvs.d.ts:1:20 - error TS2307: Cannot find module 'dotenv' or its corresponding type declarations.

1 import dotenv from 'dotenv';
                     ~~~~~~~~

src/generator/dbml.ts:20:5 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.

20     dmmf.datamodel.models,
       ~~~~~~~~~~~~~~~~~~~~~

src/generator/dbml.ts:25:32 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.

25     ? generateManyToManyTables(dmmf.datamodel.models, mapToDbSchema)
                                  ~~~~~~~~~~~~~~~~~~~~~

src/generator/dbml.ts:27:31 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; values: ReadonlyDeep<{ name: string; dbName: string | null; }>[]; dbName?: string | null | undefined; documentation?: string | undefined; }>>>[]' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; values: ReadonlyDeep<{ name: string; dbName: string | null; }>[]; dbName?: string | null | undefined; documentation?: string | undefined; }>[]'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; values: ReadonlyDeep<{ name: string; dbName: string | null; }>[]; dbName?: string | null | undefined; documentation?: string | undefined; }>>>[]' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; values: ReadonlyDeep<{ name: string; dbName: string | null; }>[]; dbName?: string | null | undefined; documentation?: string | undefined; }>[]'.

27   const enums = generateEnums(dmmf.datamodel.enums);
                                 ~~~~~~~~~~~~~~~~~~~~

src/generator/dbml.ts:28:34 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.

28   const refs = generateRelations(dmmf.datamodel.models, mapToDbSchema);
                                    ~~~~~~~~~~~~~~~~~~~~~

src/generator/enums.ts:5:54 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; }>>[]' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; dbName: string | null; }>[]'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; }>>[]' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; dbName: string | null; }>[]'.

5     (e) => `Enum ${e.name} {\n` + generateEnumValues(e.values) + '\n}',
                                                       ~~~~~~~~

src/generator/relations.ts:39:11 - error TS2345: Argument of type 'readonly string[]' is not assignable to parameter of type 'string[]'.
  The type 'readonly string[]' is 'readonly' and cannot be assigned to the mutable type 'string[]'.

39           field.relationFromFields!,
             ~~~~~~~~~~~~~~~~~~~~~~~~~

src/generator/relations.ts:41:11 - error TS2345: Argument of type 'readonly string[]' is not assignable to parameter of type 'string[]'.
  The type 'readonly string[]' is 'readonly' and cannot be assigned to the mutable type 'string[]'.

41           field.relationToFields!!,
             ~~~~~~~~~~~~~~~~~~~~~~~~

src/generator/table.ts:20:9 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; isUpdatedAt?: boolean | undefined; ... 8 more ...; documentation?: string | undefined; }>>[]' is not assignable to parameter of type 'ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; isUpdatedAt?: boolean | undefined; ... 8 more ...; documentation?: string | undefined; }>[]'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; isUpdatedAt?: boolean | undefined; ... 8 more ...; documentation?: string | undefined; }>>[]' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; isUpdatedAt?: boolean | undefined; ... 8 more ...; documentation?: string | undefined; }>[]'.

20         model.fields,
           ~~~~~~~~~~~~

src/generator/table.ts:35:61 - error TS2345: Argument of type 'readonly (readonly string[])[]' is not assignable to parameter of type 'string[][]'.
  The type 'readonly (readonly string[])[]' is 'readonly' and cannot be assigned to the mutable type 'string[][]'.

35   const hasCompositeUniqueIndex = hasCompositeUniqueIndices(model.uniqueFields);
                                                               ~~~~~~~~~~~~~~~~~~

src/generator/table.ts:37:64 - error TS2345: Argument of type 'readonly string[] | undefined' is not assignable to parameter of type 'string[] | undefined'.
  The type 'readonly string[]' is 'readonly' and cannot be assigned to the mutable type 'string[]'.

37     ? `\n\n  ${DBMLKeywords.Indexes} {\n${generateTableBlockId(primaryFields)}${
                                                                  ~~~~~~~~~~~~~

src/generator/table.ts:39:44 - error TS2345: Argument of type 'readonly (readonly string[])[]' is not assignable to parameter of type 'string[][]'.
  The type 'readonly (readonly string[])[]' is 'readonly' and cannot be assigned to the mutable type 'string[][]'.

39       }${generateTableCompositeUniqueIndex(model.uniqueFields)}\n  }`
                                              ~~~~~~~~~~~~~~~~~~


Found 24 errors in 14 files.

Errors  Files
     2  node_modules/@prisma/fetch-engine/dist/getProxyAgent.d.ts:1
     1  node_modules/@prisma/get-platform/dist/test-utils/jestContext.d.ts:3
     2  node_modules/@prisma/internals/dist/engine-commands/getEnginesMetaInfo.d.ts:2
     1  node_modules/@prisma/internals/dist/engine-commands/getEngineVersion.d.ts:2
     1  node_modules/@prisma/internals/dist/engine-commands/queryEngineCommons.d.ts:1
     1  node_modules/@prisma/internals/dist/get-generators/generatorResolvers/prisma-client-js/auto-installation/getPackageCmd.d.ts:1
     1  node_modules/@prisma/internals/dist/resolveBinary.d.ts:2
     1  node_modules/@prisma/internals/dist/tracing/types.d.ts:1
     2  node_modules/@prisma/internals/dist/utils/fs-functional.d.ts:1
     1  node_modules/@prisma/internals/dist/utils/tryLoadEnvs.d.ts:1
     4  src/generator/dbml.ts:20
     1  src/generator/enums.ts:5
     2  src/generator/relations.ts:39
     4  src/generator/table.ts:20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@iamkevinv