Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[wordpress/scripts] 5 high severity vulnerabilities #63771

Open
2 tasks done
kjroelke opened this issue Jul 20, 2024 · 1 comment
Open
2 tasks done

[wordpress/scripts] 5 high severity vulnerabilities #63771

kjroelke opened this issue Jul 20, 2024 · 1 comment
Labels
[Package] Scripts /packages/scripts [Type] Bug An existing feature does not function as intended

Comments

@kjroelke
Copy link

Description

Installing @wordpress/scripts package throws vulnerability errors with npm.

Terminal responds with “5 high severity issues” that appear to stemming from ws, puppeteer-core, and lighthouse.

What I’ve tried:

  • Running npm audit fix --force downgrades @wordpress/scripts to v19.2.4, unsurprisingly causing 47 other vulnerabilities.
  • Using the overrides param in package.json fixes the issue.
"overrides": {
  "ws": "^8.18.0",
  "lighthouse": "^12.1.0",
  "puppeteer-core": "^22.13.1"
}

Step-by-step reproduction instructions

  1. run npm install @wordpress/scripts or go through npx @wordpress/create-block
  2. run npm audit

Screenshots, screen recording, code snippet

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install @wordpress/scripts@19.2.4, which is a breaking change
node_modules/lighthouse/node_modules/puppeteer-core/node_modules/ws
node_modules/puppeteer-core/node_modules/ws
  puppeteer-core  11.0.0 - 22.11.1
  Depends on vulnerable versions of ws
  node_modules/lighthouse/node_modules/puppeteer-core
  node_modules/puppeteer-core
    @wordpress/scripts  >=20.0.0
    Depends on vulnerable versions of @wordpress/e2e-test-utils-playwright
    Depends on vulnerable versions of puppeteer-core
    node_modules/@wordpress/scripts
    lighthouse  9.6.1 - 11.5.0
    Depends on vulnerable versions of puppeteer-core
    node_modules/lighthouse
      @wordpress/e2e-test-utils-playwright  >=0.9.1-next.5a1d1283.0
      Depends on vulnerable versions of lighthouse
      node_modules/@wordpress/e2e-test-utils-playwright

Environment info

Unsure if this bit matters, but for what's worth:

  • Tested on 2 MacBook Pros with macOS 14.5 (Sonoma) with (respectively) i9 and M1 architecture
  • Node versions ^20 and ^22
  • npm versions 10.7 & ^10.8.0

Please confirm that you have searched existing issues in the repo.

  • Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

  • Yes
@kjroelke kjroelke added the [Type] Bug An existing feature does not function as intended label Jul 20, 2024
@Mamaduka Mamaduka added the [Package] Scripts /packages/scripts label Jul 22, 2024
@jacobcassidy jacobcassidy mentioned this issue Aug 17, 2024
Merged
@rohjay
Copy link

rohjay commented Aug 30, 2024

Thanks for raising this, @kjroelke 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
[Package] Scripts /packages/scripts [Type] Bug An existing feature does not function as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Mamaduka @rohjay @kjroelke