Security alert for axios 0.19.0 (npm dependency) #958
Comments
|
Update: binary-install 0.0.1 → 0.1.1 |
|
This still (somewhat urgently) needs fixing. |
|
Yes, definitely. |
|
Since @ashleygwilliams and @drager are listed in the project readme as maintainers, could I ask either of you if the community can have a statement on the plan for resolving this high-severity security vulnerability? Thank you very much. |
I would happily merge PRs and publish new releases but unfortunately I don't have permission to publish I asked for permissions a long time ago but without success, same with the future plans for |
|
@drager does the same apply for publishing new versions to NPM? |
|
@Keavon As far as I know, yes unfortunately... |
|
Perhaps the first step in the right direction would be to find somebody who's willing to submit a PR. Then we can try to get them published afterwards. I will see if anybody in the Graphite community, or the broader Rust Gamedev community, is willing to help. |
|
@Keavon The PR is trivial and a non-issue, not least because one was submitted four months ago. The problem here is that apparently wasm-pack no longer has active developers with sufficient privileges to release further updates to this library - even for changes as simple as running The I don't suppose anyone has a way of contacting @ashleygwilliams IRL so we can get ownerships transferred to someone else? |
|
Wasn't there some API compatibility issue mentioned by @magcius?#973 (comment) |
As @btzy mentioned, I don't think it is trivial because this codebase uses an old version of Axios and the security issue was not backported. The API has changed in a major version release, so this project will need to be updated to use the new API. I haven't looked closely at how hard that would be (perhaps it is actually quite simple to change a few function calls). But if we do get a PR that fixes it, then it would be a lot easier to move forward if we can get a few minutes of @ashleygwilliams's time to reassign permissions to @drager.
Axios is the only one causing Dependabot alerts, so it is the first place to begin. Once we solve the issue of merging code and publishing new versions, it'll be easier to investigate other problems.
She has GitHub activity as recent as one month ago. Maybe she just has notifications disabled? There's an email and Twitter handle listed on her GitHub profile, those might be good places to reach out after we have a PR. I'll add a line to the Rust Gamedev newsletter's "Requests for Contribution" section in the next publication coming in the next week. |
|
wasm-pack appears to be unmaintained. See these issues: Ashley appears to have moved on from wasm work to Rust Foundation work, leaving this place in a bit of limbo. |
Fortunately wasm-pack does not depend on axios. It depends on binary-install, which in turn depends on axios. And the most recent version of binary-install (a) does not use a vulnerable version of axios and (b) appears to still be compatible with how wasm-pack uses it. Check the PR.
True, the axios issue is probably the highest priority issue to resolve, but there are other issues that will need to be dealt with, and even though they're on the Rust side, it's possible those issues could bleed over into the wasm-pack distributable - or worst case, into the WASM bundles it generates. (edit: I do not mean that any issues reported by They will have to be confronted at some point, and the current state of wasm-pack is that a simple change of upgrading one dependency to address a public vulnerability is nearly 5 months behind, does not bode well. The good news is that there is only one hurdle to clear and that's the ownership and/or publishing permissions for crates.io and npmjs.org - or alternatively, and arguably better, is allowing the community and @drager to continue development and finding enough free time for Ashley to perform the occasional publish. |
|
Thank you @simlay for the PR to fix this: #1012. I went ahead and emailed @ashleygwilliams and I'll report back in a few days if I don't hear back. Everyone with Twitter accounts, please go tweet her since we'd like to get control transferred over to @drager or at the very least, get this merged and a new minor release published to the package repositories. |
|
@Keavon Did you get a response? |
|
@drager Not yet. I also followed up a week later (five days ago, today). I'll try and remember in a couple days to follow up again, and continue doing so every week until I get a reply. Do you have any other suggestions about ways of taking over ownership that doesn't revolve around @ashleygwilliams as the single point of failure? |
I don't think there's any way to get ownership without Ashley. I wrote a thought in #1014 though, that's worth considering if do not get any answer. |
|
@drager I see 16 people listed in https://github.com/orgs/rustwasm/people and I'm wondering if anyone else might have admin-level privileges over the org, but isn't listed under this particular repo's user list. Maybe could someone with org-level admin privileges intervene? |
IIRC @ashleygwilliams is the only owner of the crates.io package. See |
|
Let's try and tackle one step at a time. If we can get back control of the GitHub repo, we might be able to see if the crates.io folks have a way to petition for control of publishing due to an owner who has disappeared off the face of the earth. |
@drager has already stated that he has the ability to accept pull requests. It's not necessary to transfer ownership of this repository for the time being. drager said it and I'll repeat it: the problem is crates.io and publishing new versions there. Not this repository here on GitHub. To the issue, crates.io does have a policy for transferring ownership:
They may have better luck at contacting Ashley. If not, they may be willing to transfer ownership to drager given that he is a maintainer here. npmjs.com would also be nice, since wasm-pack is published there too, but they do not handle abandonment.
Transferring ownership is a large step to take and one that should not be taken lightly, however the only other option I see is to republish this repo under a new name - or perhaps drager's fork, if crates.io doesn't allow a second package under the same source repo. |
Oh I see, thank you for clarifying that, I think I misunderstood the situation. If so, can @drager go ahead and merge #1012 right now? It is possible that npm may be willing to transfer from one GitHub maintainer to another when the one maintainer listed on npm has disappeared. I don't think it's necessarily accurate to call that abandonment, and due to the security vulnerability they may be willing to work with it. Alternatively, we just publish a second package under this official repo (not a fork). |
Sorry for being unclear. Yes, I can go ahead and merge PRs in this repo right now. Also yes, no need for any fork. EDIT: I actually could not merge PRs, due to pending checks... Perhaps it's possible for me to grab the PRs locally and merge them directly into master, but yeah. I think we need to remove those pending checks somehow... I do not have permission to do so. Can anyone of you do it @fitzgen @alexcrichton? |
|
Update: I now got publishing rights for |
|
@drager Were you able able to get publishing rights for npm? Now that the patch is merged, are you able to submit a release to crates.io and npm? Thanks so much for making this all happen! |
I was not given rights for npm nor |
|
@drager Hmm. That's unfortunate about npm, although I guess a fork is possible— were you ever in touch with @ashleygwilliams (and could therefore reply) or did your publishing privileges change without any words of communication? As for |
Agree... I was not in touch with her. My privileges changed without any communication. Yes, that's right about |
|
@drager I had assumed you had gotten in touch, thanks for clarifying. I will follow up my emails with a thank you and a request to go one step further to complete the job by adding you on npm. I realize the accounts may be different from GitHub and maybe that wasn't a quick thing to do without replying to request additional information. Do you have an npm account yet and could you give me the exact name so I can clearly pass that along? Regarding |
Sorry for being unclear 😅 Yes, here it is: https://www.npmjs.com/~drager I was referring to this binary-install actually: https://github.com/rustwasm/binary-install |
|
Is having rights on binary-install necessary? There are two parts to wasm-pack and both are located in this repo: the Rust crate which does all the work (./src), and the NPM package which essentially bootstraps it (./npm). |
Not the |
|
I didn't realize there are two unrelated |
Hehe yes, it's quite confusing. But the rust one that I linked was not updated, nor is published to npm. The rust one does not depend on axios, and does not have that security issue. |
|
Maybe I am confused too, but the issue it not closed right? There is still no way to update to a released version, which fixes this issue. |
This issue actually got auto closed when I merged #1012 |
So it should be re-opened, right? |
|
New versions published: |
|
Thank you @drager and @ashleygwilliams! So glad this is finally resolved 🥳. |
🐛 Bug description
There is a security alert for axios 0.19.0, which is in npm/package-lock.json.
🤔 Expected Behavior
It should be upgraded to 0.21.1. (Upgrading binary-install to 0.1.0 and then running npm update should fix it.)
👟 Steps to reproduce
Any package that uses wasm-pack has this warning:
🌍 Your environment
Include the relevant details of your environment.
wasm-pack version: 0.9.1
The text was updated successfully, but these errors were encountered: