Minor security issues in `expo/xdl`

#1

Hi there!

We are getting reports in our pipeline and local development machines of two minor/moderate security issues caused by the hoek library, https://nodesecurity.io/advisories/566. Below I’ve added the exact report of both issues. I see that the affected hoek library is included by an older joi version, which is then included by Expo’s xdl library. The full dependency chain is this:

<our-project>
└─┬ exp@54.0.0
  └─┬ xdl@50.0.0
    └─┬ joi@10.6.0
      └── hoek@4.2.1

Because npm@6 is now shipped with a build in security check on every install, and of course the newly added npm audit script, it’s maybe a good idea to try and resolve this issue? As far as I can tell, this is fixable by upgrading Expo’s xdl dependency of joi to ^13. In this version the patched hoek@>5 version is referenced (https://github.com/hapijs/joi/blob/v13.0.0/package.json).

I can make a PR for xdl if it helps. I’m not sure what this upgrade means regarding breaking changes. Luckily the devs of joi do have a clear changelog using their github issues. Unfortunately I can’t mention them because of the url limit here. But you can see them by listing all issues with the release notes label.

Let me know if I can do anything to help! :smile:

Cheers!
Cedric

The actual report output

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-scripts [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-native-scripts > xdl > jsonwebtoken > joi > hoek       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-scripts [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-native-scripts > xdl > jsonwebtoken > joi > topo >     │
│               │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
0 Likes

#2

Ah, I’ve got clearance on the links :grimacing:

Here are the release notes of Joi:

0 Likes

#3

hi @bycedric, if you could make a pr for this, that would be helpful. thanks!

1 Like

#4

Sure! I will create one after working hours, around ±18:00 (CEST).

0 Likes

#5

Hi @quinlanj!

I guess I owe you an apology, I accidentally mixed up Expo’s xdl and its actual cause, react-native-scripts. I see that the exact error originated from jsonwebtoken, which was included in xdl. Luckily this has been resolved already in xdl, but react-native-scripts actually uses an older/outdated version of xdl what caused our pipeline to raise the issues.

So it is not the xdl, but the create-react-native-app repo which should be fixed. That’s why I created and issue and PR to still have this fixed, https://github.com/react-community/create-react-native-app/issues/663.

Still, I’m sorry for incorrectly flagging this! You can resolve this forum discussion I think.

Have a great day!

Cheers,
Cedric

1 Like

closed #6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

0 Likes