Skip to content

Security: replace abandoned pkg coveralls with coveralls-next#305

Merged
alexander-akait merged 1 commit intopostcss:masterfrom
dinamic:security/use-coveralls-next-pkg
Feb 26, 2025
Merged

Security: replace abandoned pkg coveralls with coveralls-next#305
alexander-akait merged 1 commit intopostcss:masterfrom
dinamic:security/use-coveralls-next-pkg

Conversation

@dinamic
Copy link
Contributor

@dinamic dinamic commented Feb 14, 2025

The request package through 2.88.2 for Node.js allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).

The request package is no longer supported by the maintainer. Unfortunately, it's a dependency of the coveralls package, which also seems abandoned. This PR helps by replacing the coveralls package with coveralls-next.

@dinamic dinamic mentioned this pull request Feb 14, 2025
Open
@alexander-akait
Copy link
Collaborator

alexander-akait commented Feb 14, 2025

Looks like we need to generate lock files using 14/16 Node.js, can you do it using nvm?

@dinamic dinamic force-pushed the security/use-coveralls-next-pkg branch from 006d3ef to c17bade Compare February 17, 2025 17:14
@dinamic dinamic force-pushed the security/use-coveralls-next-pkg branch from c17bade to f73c495 Compare February 17, 2025 17:18
@dinamic
Copy link
Contributor Author

dinamic commented Feb 17, 2025

@alexander-akait it might have been because of the lockfileVersion.

nvm didn't work for me as going back to node 14 requires me to have an older version of python:

# nvm install 14
Downloading and installing node v14.21.3...
Downloading https://nodejs.org/dist/v14.21.3/node-v14.21.3-darwin-arm64.tar.xz...
curl: (56) The requested URL returned error: 404

download from https://nodejs.org/dist/v14.21.3/node-v14.21.3-darwin-arm64.tar.xz failed
grep: /Users/nick/.nvm/.cache/bin/node-v14.21.3-darwin-arm64/node-v14.21.3-darwin-arm64.tar.xz: No such file or directory
Provided file to checksum does not exist.
Binary download failed, trying source.
Detected that you have 10 CPU core(s)
Running with 9 threads to speed up the build
Clang v3.5+ detected! CC or CXX not specified, will use Clang as C/C++ compiler!
Local cache found: ${NVM_DIR}/.cache/src/node-v14.21.3/node-v14.21.3.tar.xz
Checksums match! Using existing downloaded archive ${NVM_DIR}/.cache/src/node-v14.21.3/node-v14.21.3.tar.xz
$>./configure --prefix=/Users/nick/.nvm/versions/node/v14.21.3 <
Node.js configure: Found Python 3.13.2...
Please use python3.10 or python3.9 or python3.8 or python3.7 or python3.6 or python3.5 or python2.7.
nvm: install v14.21.3 failed!

Fortunately, there is the node:14-slim docker image and it worked perfect.

Could you check if the pipelines is going to pass now?

P.S There are also other security risks as flagged by npm, but I'm not sure whether to use this PR to resolve all. What are your thoughts on this?

found 32 vulnerabilities (3 moderate, 25 high, 4 critical)

@alexander-akait alexander-akait merged commit 337129d into postcss:master Feb 26, 2025
5 checks passed
@alexander-akait
Copy link
Collaborator

alexander-akait commented Feb 26, 2025

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexander-akait alexander-akait alexander-akait approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dinamic @alexander-akait