Yarn.lock Vulnerabilities found in default Hugo Netlify CMS site

I started a new Hugo-powered Netlify CMS site, linked to github, and immediately received warnings of 8 security vulnerabilities due to outdated versions referenced in the yarn.lock file. I’ll post the full list below. Who can fix this on Netlify’s end? What can I do on my end?
I am unfamiliar with yarn and do not have it installed on my system. I’m leery of delving into that as my previous attempts to wrangle npm package updates on behalf of a netlifycms site led to lots of confusion and no clear benefit, and working with yarn seems similar. I chose netlifycms because it seemed simpler to manage, but these warnings have me worried.
Any tips? Warnings below:

Lodash -> 4.17.13
CVE-2019-10744 More information

high severity

Vulnerable versions: < 4.17.13

Patched version: 4.17.13

Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVE-2018-16487 More information

low severity

Vulnerable versions: < 4.17.11

Patched version: 4.17.11

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

CVE-2018-3721 More information

moderate severity

Vulnerable versions: < 4.17.5

Patched version: 4.17.5

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of “Object” via proto , causing the addition or modification of an existing property that will exist on all objects.

Minmatch -> 3.0.2
CVE-2016-10540 More information

high severity

Vulnerable versions: < 3.0.2

Patched version: 3.0.2

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

jquery -> 3.4.0
CVE-2019-11358 More information

moderate severity

Vulnerable versions: < 3.4.0

Patched version: 3.4.0

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

axios -> 0.18.1
CVE-2019-10742 More information

high severity

Vulnerable versions: <= 0.18.0

Patched version: 0.18.1

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

ja-yaml -> 3.13.1
WS-2019-0032 More information

moderate severity

Vulnerable versions: < 3.13.0

Patched version: 3.13.0

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Vulnerability data by WhiteSource

WS-2019-0063 More information

high severity

Vulnerable versions: < 3.13.1

Patched version: 3.13.1

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

mem -> 4.0.0
WS-2018-0236 More information

moderate severity

Vulnerable versions: < 4.0.0

Patched version: 4.0.0

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

lodash.template -> 4.5.0
CVE-2019-10744 More information

high severity

Vulnerable versions: < 4.5.0

Patched version: 4.5.0

Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

lodash.merge -> 4.6.2
CVE-2019-10744 More information

high severity

Vulnerable versions: < 4.6.2

Patched version: 4.6.2

Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

1 Like

I’m showing the same issue. I wonder if any Mods can chime in on this??

1 Like

Working on upgrading dependencies now, a lot of security issues in npm packages have popped up in the last two weeks.

Update: the Hugo template is now updated, no security warnings.

1 Like

Is there a documented path to update?

1 Like

Update re: a support thread with Netlify:

Since the way we use templates creates a new copy of the repo, nothing we do is going to fix your copy of it now since it is owned by you and we do not have write permissions to your repo (nor would we presume to change your code anyway!)

This explains how you can use yarn to upgrade your dependencies definitions, then commit the new yarn.lock to your repo, and you’ll be up to date: https://yarnpkg.com/lang/en/docs/cli/upgrade/

If you know how to manage and install yarn, terrific! I do not, more on that below.
Idea for improvement: make some sort of a patch that default users can install / merge that takes care of these issues. Put a warning on it if it will overwrite changes more advanced users have made. Theoretically, if they are advanced enough to have made changes, they’d be advanced enough to update yarn manually.

Here’s my issue. I do not know yarn, have not installed it, I do not understand whether or not it was installed on my system by the netlify cms or if it was installed on my/their site, server (?). All I know is terminal (mac) doesn’t recognize any yarn-based commands.
I do not know what directory to install yarn to on my local system, nor do I know what any of these dependencies do.
If someone reads this and gets the reaction “this person doesn’t know enough to be on here” - exactly my point. Netlifycms.org has touted its simplicity, and was simple enough for me to get up and running - but then a more advanced need comes up and documentation is lacking, and there’s no way for me to resolve this withn my current abilities.
Me stretching beyond my tech abilities? I own that. Netlifycms not providing documentation of how yarn is connected to this system nor how to update it? That’s on Netlify mate.

After doing yarn upgrade --latest, GitHub is no longer complaining but Netlify fails to build… I still hope to find the official way of upgrading the insecure dependencies. :frowning:

You can install yarn on Mac, https://yarnpkg.com/lang/en/docs/install/#mac-stable :wink:

Yep, upgrading all of your dependencies to latest can include breaking changes in those dependencies. I typically use yarn upgrade-interactive --latest, which shows you which upgrades are available and what level of upgrade it is - patch and minor are usually safe, but anything major requires checking to make sure there are no migration steps. This isn’t specific to Netlify CMS or any particular project, just how package management works.

The Netlify CMS starters are mostly upraded now, so you also have the option of fetching the latest upstream changes and rebasing onto them or merging them in to your current site.

Thank you for the help. To what directory am I supposed to install yarn?
Alternatively, do yo have any documentation on merging the upstream changes into our sites? I am having difficulty with both.

Hi,

People usually install yarn globally. There are instructions on their website at https://yarnpkg.com/en/docs/install#mac-stable or you can install it using NPM.

We don’t have any documentation on merging upstream changes, that’s not anything specific to how we handle things, but more about how you use git and merging in changes from repos you forked from, or other branches.

1 Like