[NPMCLI-198] high-severity security vulnerability "npm:adm-zip:20180415" Created: 19/Dec/18  Updated: 12/Mar/19  Resolved: 11/Mar/19

Status: Closed
Project: Magnolia CLI
Component/s: None
Affects Version/s: None
Fix Version/s: 3.0.7

Type: Bug Priority: Major
Reporter: Samantha Mannino Assignee: Federico Grilli
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
caused by NPMCLI-182 CLI jumpstart fails - due to regressi... Closed
supersession
supersedes NPMCLI-186 Unpin adm-zip dependency or replace i... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Release notes required:
Yes
Date of First Response:
Epic Link: Support
Sprint: Foundation 6
Story Points: 3

 Description   

Magnolia cli has a dependency on an old version of adm-zip which has a security vulnerability. More info here: https://snyk.io/vuln/npm:adm-zip:20180415

Please update the dependency, so that I can have magnolia-cli approved by my security team.



 Comments   
Comment by Christopher Zimmermann [ 19/Dec/18 ]

Need to be careful that in solving this issue we do not run into the same problem as NPMCLI-182

Comment by Samantha Mannino [ 18/Jan/19 ]

Hey! Any update on this issue? Really looking forward to be able to make use of Magnolia-CLI

Comment by Samantha Mannino [ 15/Feb/19 ]

Hello again! Still really looking forward to being able to use this! I have a new person joining in a couple weeks and would like them to get started with magnolia with the cli at their disposal.

Please let me know if there is anything I can do to help!

Comment by Christopher Zimmermann [ 18/Feb/19 ]

Resolving this is a little complicated since a recent adm-zip version was broken and so we needed to pin an earlier version. 

(See https://jira.magnolia-cms.com/browse/NPMCLI-182)

Its possible that the problem is resolved in adm-zip with this https://github.com/cthackers/adm-zip/pull/238.

So we should simply try the latest adm-zip (0.4.13) and doublecheck that it does not cause the issue in NPMCLI-182

Comment by Christopher Zimmermann [ 11/Mar/19 ]

Please test fix on Windows.

Comment by Federico Grilli [ 11/Mar/19 ]

Apparently the latest  adm-zip (0.4.13 at the moment of writing this) still doesn't solve the issue for which we had to pin it to an earlier version. The issue was supposedly solved by https://github.com/cthackers/adm-zip/pull/238 which should have ended up in 0.4.12 but that was never released, whereas 0.4.13 code is missing from their git repo https://github.com/cthackers/adm-zip/issues/271.
Something looks borked in there. So, eventually I went for removing the dependency on adm-zip and resort to a different lib to decompress the zip and handle myself the copying of unzipped files.

One side remark on https://snyk.io/vuln/npm:adm-zip:20180415 - apparently that wasn't caught by npm audit which is rather odd.

Comment by Federico Grilli [ 12/Mar/19 ]

Sam Hi, cli 3.0.7 was just released on npm public repo and it contains the fix for this issue  https://www.npmjs.com/package/@magnolia/cli  

Cheers,

Federico for the Magnolia team

 

Generated at Mon Feb 12 04:47:29 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.