Parse-server 4.x.x dependency vulnerabilities - will they be patched?

sam11 · January 19, 2023, 3:43pm

Hi everyone

I’m grateful that this community exists and that Parse is being maintained even long after the shutdown by Facebook in 2016.

I believe parse-server 4.x.x is still under Long-Term-Support (LTS) and it has come to my attention that there are a few vulnerabilities in npm dependencies of this version:

https://github.com/parse-community/parse-server/pulls?q=is%3Aopen+is%3Apr+base%3Arelease-4.x.x

github.com/parse-community/parse-server

[Snyk] Fix for 4 vulnerabilities

parse-community:release-4.x.x ← parse-community:snyk-fix-1f51ce769dbe2fe4db1308afb5d3520c

opened 10:27PM - 22 Dec 22 UTC

parseplatformorg

+88 -82

This PR was automatically created by Snyk using the credentials of a real use…r. <h3>Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.</h3> #### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:------------------------- ![high severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/h.png "high severity") | **671/1000** **Why?** Recently disclosed, Has a fix available, CVSS 7.7 | Improper Input Validation [SNYK-JS-JSONWEBTOKEN-3180020](https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180020) | Yes | No Known Exploit ![medium severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/m.png "medium severity") | **611/1000** **Why?** Recently disclosed, Has a fix available, CVSS 6.5 | Improper Authentication [SNYK-JS-JSONWEBTOKEN-3180022](https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180022) | Yes | No Known Exploit ![medium severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/m.png "medium severity") | **611/1000** **Why?** Recently disclosed, Has a fix available, CVSS 6.5 | Improper Restriction of Security Token Assignment [SNYK-JS-JSONWEBTOKEN-3180024](https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180024) | Yes | No Known Exploit ![medium severity](https://res.cloudinary.com/snyk/image/upload/w_20,h_20/v1561977819/icon/m.png "medium severity") | **526/1000** **Why?** Recently disclosed, Has a fix available, CVSS 4.8 | Use of a Broken or Risky Cryptographic Algorithm [SNYK-JS-JSONWEBTOKEN-3180026](https://snyk.io/vuln/SNYK-JS-JSONWEBTOKEN-3180026) | Yes | No Known Exploit (*) Note that the real score may have changed since the PR was raised. <details> <summary>Commit messages</summary> <details> <summary>Package name: jsonwebtoken</summary> The new version differs by 17 commits. <ul> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3">e1fa9dc</a> Merge pull request from GHSA-8cf7-32gw-wr33</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/5eaedbf2b01676d952336e73b4d2efba847d2d1b">5eaedbf</a> chore(ci): remove github test actions job (#861)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/cd4163eb1407aab0b3148f91b0b9c26276b96c6b">cd4163e</a> chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6">ecdf6cc</a> fix!: Prevent accidental use of insecure key sizes & misconfiguration of secrets (#852)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16">8345030</a> fix(sign&verify)!: Remove default `none` support from `sign` and `verify` methods, and require it to be explicitly configured (#851)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/7e6a86b1c25e5fd05733c52c118848341aba1c4e">7e6a86b</a> Upload OpsLevel YAML (#849)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/74d5719bd03993fcf71e3b176621f133eb6138c0">74d5719</a> docs: update references vercel/ms references (#770)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/d71e383862fc735991fd2e759181480f066bf138">d71e383</a> docs: document "invalid token" error</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/37650031fd0bac1a5b0d682bbfcf8c1705917aa9">3765003</a> docs: fix spelling in README.md: Peak -> Peek (#754)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/a46097e962621ab2ba718d1da6025cdeba3597c8">a46097e</a> docs: make decode impossible to discover before verify</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/15a1bc449ab529d540eb9c2be4e093f9f5b0278d">15a1bc4</a> refactor: make decode non-enumerable</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/5f10bf9957a2541828501cfecab0310908b2f62f">5f10bf9</a> docs: add jwtid to options of jwt.verify (#704)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/88cb9df18a1d2a7b24f8cfeaa6f5f5b87d2c027f">88cb9df</a> Replace tilde-indexOf with includes (#647)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/a6235fa561b5c30884c97ea0b30c3db3b546ae2c">a6235fa</a> Adds not to README on decoded payload validation (#646)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/5ed1f061869b7d4e624a51789fd4a135ddb34b45">5ed1f06</a> docs: fix tiny style change in readme (#622)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/9fb90cae493b6c556feba04477109e1cbef7f149">9fb90ca</a> style: add missing semicolon (#641)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/commit/a9e38b8bab4fc8532eccb9d97712bbf566a1fc6a">a9e38b8</a> ci: use circleci (#589)</li> </ul> <a href="https://snyk.io/redirect/github/auth0/node-jsonwebtoken/compare/7f1f8b4b842ca3168018ab1ef53001105a1a2948...e1fa9dcc12054a8681db4e6373da1b30cf7016e3">See the full diff</a> </details> <details> <summary>Package name: jwks-rsa</summary> The new version differs by 12 commits. <ul> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/1e3ba0635b711d2743554c0ca443bccf1ac68e56">1e3ba06</a> Removes babel (#226)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/9c4fddf34cbd37bf86292becbfa1ab7990b1a843">9c4fddf</a> Update README.md</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/914dd424cd2fb7d562c961b92eadbd5a47e1e097">914dd42</a> V2 Release (#225)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/06217d72e66a3943d4789bed60446328b8a387f8">06217d7</a> fix: missing export (#217)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/8dc969858e789ca07fa0c90109f434364fce0276">8dc9698</a> Update cov path (#224)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/b66e83f8609797f7a5d712baba76a5d25043d707">b66e83f</a> Simplify request wrapper (#218)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/2408cac657c49275bf0a3526c2d7dd1df2eea11f">2408cac</a> Add alg to SigningKey types (#220)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/596e944357b8c7c11c1f73890e4982f45e734cbf">596e944</a> Merge pull request #221 from auth0/fix-package-lock</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/9148f51043b0c84ace805ffa7f64d796165b60a6">9148f51</a> jfrog -> npmjs</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/589dde80a792d49286d669c80367a82a6625472a">589dde8</a> Pinning Node Engine Versions (#212)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/dab5112bd2e274af1fa339aa89734110216ed0bf">dab5112</a> Release 1.12.2 (#213)</li> <li><a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/commit/61d434324498c77e9d109bf3b7fb23976c93bb35">61d4343</a> full JWK/JWS support (#205)</li> </ul> <a href="https://snyk.io/redirect/github/auth0/node-jwks-rsa/compare/f99d26196086a4915328c2ac0fde3a7aa2c3cc2d...1e3ba0635b711d2743554c0ca443bccf1ac68e56">See the full diff</a> </details> </details> Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI4OWUwZTRiNC0xNGRkLTQ4NjQtYWVjOC0wOTliOGVjNDgzNWYiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6Ijg5ZTBlNGI0LTE0ZGQtNDg2NC1hZWM4LTA5OWI4ZWM0ODM1ZiJ9fQ==" width="0" height="0"/> 🧐 [View latest project report](https://app.snyk.io/org/acinader/project/336712ed-1f11-481e-b163-45aa355637b8?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/acinader/project/336712ed-1f11-481e-b163-45aa355637b8?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"89e0e4b4-14dd-4864-aec8-099b8ec4835f","prPublicId":"89e0e4b4-14dd-4864-aec8-099b8ec4835f","dependencies":[{"name":"jsonwebtoken","from":"8.5.1","to":"9.0.0"},{"name":"jwks-rsa","from":"1.12.3","to":"2.0.0"}],"packageManager":"npm","projectPublicId":"336712ed-1f11-481e-b163-45aa355637b8","projectUrl":"https://app.snyk.io/org/acinader/project/336712ed-1f11-481e-b163-45aa355637b8?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-JSONWEBTOKEN-3180020","SNYK-JS-JSONWEBTOKEN-3180022","SNYK-JS-JSONWEBTOKEN-3180024","SNYK-JS-JSONWEBTOKEN-3180026"],"upgrade":["SNYK-JS-JSONWEBTOKEN-3180020","SNYK-JS-JSONWEBTOKEN-3180022","SNYK-JS-JSONWEBTOKEN-3180024","SNYK-JS-JSONWEBTOKEN-3180026"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["priorityScore"],"priorityScoreList":[671,611,611,526]}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Use of a Broken or Risky Cryptographic Algorithm](https://learn.snyk.io/lessons/insecure-hash/javascript/?loc=fix-pr)

The second one looks the most notable to me and I’m not sure why the issue was closed.

I think maybe I’ve seen some of these also present in version 5.x.x

I know of some application and services that still rely on 4.x.x. Can we expect these remaining vulnerabilities to be patched by someone in this community before LTS is suspended in 4.x.x and moved to 5.x.x along with the release of parse-server 6.0? Any help is greatly appreciated

@Manuel hoping that you may be able to help out with this

Cheers!

Manuel · January 19, 2023, 4:47pm

Parse Server 4 is not under LTS anymore. The branch release-4.x.x is frozen and no further commits will be made, that includes auto-created PRs (snyk, etc.) and community provided PRs. If you rely on this branch you could fork and maintain it.

Parse Server 5 is under LTS, even though Parse Server 6 hasn’t been released yet. Parse Server 6 will be released in a few days. This transitory phase with 5 being in LTS while 6 isn’t released may be confusing, but this is the first year we are doing this on the fly and we’ve identified some procedural improvements for the next major release to avoid this.

With branch release-5.x.x in LTS, any security related bugs should be fixed there. We recommend to upgrade to Parse Server 5 and/or prepare to upgrade to Parse Server 6 which is pending release.