[rush] npm-check version in rush-lib is vulnerable

[cmalonzo]

Summary

rush-lib depends on a package with vulnerabilities: npm-check (here in package.json)

Repro steps

1. Run npm audit from a project that depends on @microsoft/rush-lib (say @microsoft/generator-sharepoint)
2. See following reports and tracking down the dependency tree, these are coming from @microsoft/rush-lib

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @microsoft/spfx-web-build-rig@1.13.1, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        npm-check  >=3.2.7
        Depends on vulnerable versions of inquirer
        Depends on vulnerable versions of package-json
        Depends on vulnerable versions of update-notifier
        node_modules/npm-check
          @microsoft/rush-lib  >=5.4.0
          Depends on vulnerable versions of inquirer
          Depends on vulnerable versions of npm-check
          node_modules/@microsoft/rush-lib

Expected result: npm audit does not return above report.

Actual result: Returns above vulnerability.

Details

Solve by:
Bump npm-check version to below 3.2.7 or use an alternative like taze

Bug to address update-notifier vulnerability: dylang/npm-check#464

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question	Answer
Package name:	@microsoft/rush-lib
Package version?	5.158.0
Operating system?	Mac
Would you consider contributing a PR?
Node.js version (node -v)?	v18.20.2

[cmalonzo]

We might want to consider using https://www.npmjs.com/package/npm-check-updates or https://www.npmjs.com/package/taze instead of npm-check? The latter has not been updated in 3 years and downgrading to a version below 3.2.7 might introduce more issues. @nick-pape @octogonz @TheLarkInn

[cmalonzo]

Options explored:

1. Downgrading to npm-check 3.2.6. This pulls in a version of inquirer with a vulnerability.
2. Tried to use taze but has vulnerabilities:

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Vite middleware may serve files starting with the same │
│                     │ name with the public directory                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ vite                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.1.0 <=7.1.4                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.1.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>vitest>vite                                          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-g4jq-h2w9-997c      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Vite's `server.fs` settings were not applied to HTML   │
│                     │ files                                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ vite                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.1.0 <=7.1.4                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.1.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>vitest>vite                                          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jqfw-vq24-v9c3      │
└─────────────────────┴────────────────────────────────────────────────────────┘
2 vulnerabilities found

Opened up a bug on vite to fix this here: antfu-collective/taze#208

3. Tried to use npm-check-updates, but that introduces even more vulnerabilities:

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/@humanwhocodes/config-array/node_modules/brace-expansion
node_modules/@microsoft/api-extractor/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint-plugin-import/node_modules/brace-expansion
node_modules/eslint-plugin-n/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/flat-cache/node_modules/brace-expansion
node_modules/npm-run-all/node_modules/brace-expansion
node_modules/typescript-json-schema/node_modules/brace-expansion

form-data  3.0.0 - 3.0.3 || 4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/@cypress/request/node_modules/form-data
node_modules/form-data

lockfile-lint-api  <5.9.2
Severity: moderate
lockfile-lint-api Vulnerable to Incorrect Behavior Order - https://github.com/advisories/GHSA-7cfr-5cjf-32p4
fix available via `npm audit fix`
node_modules/lockfile-lint-api

on-headers  <1.1.0
on-headers is vulnerable to http response header manipulation - https://github.com/advisories/GHSA-76c9-3jph-rj3q
fix available via `npm audit fix`
node_modules/on-headers
  compression  1.0.3 - 1.8.0
  Depends on vulnerable versions of on-headers
  node_modules/compression
    verdaccio  2.2.7-r - 2.7.2 || 3.0.0-alpha.1 - 6.1.5
    Depends on vulnerable versions of compression
    node_modules/verdaccio

vite  6.0.0 - 6.3.5
Severity: moderate
Vite has an `server.fs.deny` bypass with an invalid `request-target` - https://github.com/advisories/GHSA-356w-63v5-8wf4
Vite's server.fs.deny bypassed with /. for files under project root - https://github.com/advisories/GHSA-859w-5945-r5v3
Vite middleware may serve files starting with the same name with the public directory - https://github.com/advisories/GHSA-g4jq-h2w9-997c
Vite's `server.fs` settings were not applied to HTML files - https://github.com/advisories/GHSA-jqfw-vq24-v9c3
fix available via `npm audit fix`
node_modules/vite

Opened bug on npm-check-updates here: raineorshine/npm-check-updates#1541

[dmichon-msft]

It's really weird for a tool for checking package versions to have a runtime dependency on Vite, which is a bundler.

Edit: Annoyingly, the only reason the dependency link from npm-check to update-notifier exists is because the package also functions as a command-line tool. We don't use it as such, so that dependency is never exercised, but there isn't a distribution that is only the API.

[octogonz]

How should we resolve this then?

[cmalonzo]

raineorshine/npm-check-updates#1541 was addressed. I'm exploring what it would look like to use npm-check-updates in place of npm-check.

[jorgeibarra13]

This is still active, will it be addressed with a new rush version soon?