'Seeing node module vulnerabilities after installing parse-server 4.10.4

Each time I update node modules for our Parse application, I'm seeing many vulnerabilities. We're getting ready for a major release, so I'm going through the server auditing process, making sure all modules are up to date. This time, I'm seeing more vulnerabilities than ever. In the process of trying to weed out the culprit, I removed all dependencies in the package.json file except for parse-server version 4.10.4 and have confirmed this is the module producing all of the vulnerabilities getting reported in Terminal.

From what I can tell, parse-server v4.10.4 is the latest version of the module. I would think I would not see any hight or critical vulnerabilities, but I'm seeing 10 high and 1 critical. The critical vulnerability is caused by netmask <=2.0.0. Here is the full npm audit report:

# npm audit report

follow-redirects  <1.14.7
Severity: high
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/parse-server/node_modules/follow-redirects
  parse-server  >=2.7.0
  Depends on vulnerable versions of @graphql-tools/links
  Depends on vulnerable versions of @parse/push-adapter
  Depends on vulnerable versions of @parse/simple-mailgun-adapter
  Depends on vulnerable versions of follow-redirects
  node_modules/parse-server

netmask  <=2.0.0
Severity: critical
netmask npm package vulnerable to octal input data - https://github.com/advisories/GHSA-pch5-whg9-qr2r
Improper parsing of octal bytes in netmask - https://github.com/advisories/GHSA-4c7m-wxvm-r7gc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netmask
  pac-resolver  <=4.2.0
  Depends on vulnerable versions of netmask
  node_modules/pac-resolver
    pac-proxy-agent  <=4.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 4.0.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        mailgun-js  >=0.6.8
        Depends on vulnerable versions of proxy-agent
        node_modules/mailgun-js
          @parse/simple-mailgun-adapter  <=1.2.0
          Depends on vulnerable versions of mailgun-js
          node_modules/@parse/simple-mailgun-adapter
            parse-server  >=2.7.0
            Depends on vulnerable versions of @graphql-tools/links
            Depends on vulnerable versions of @parse/push-adapter
            Depends on vulnerable versions of @parse/simple-mailgun-adapter
            Depends on vulnerable versions of follow-redirects
            node_modules/parse-server

node-fetch  <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cross-fetch/node_modules/node-fetch
  cross-fetch  <=3.1.4 || >=3.2.0-alpha.0
  Depends on vulnerable versions of node-fetch
  node_modules/cross-fetch
    @graphql-tools/links  <=8.2.1
    Depends on vulnerable versions of cross-fetch
    node_modules/@graphql-tools/links
      parse-server  >=2.7.0
      Depends on vulnerable versions of @graphql-tools/links
      Depends on vulnerable versions of @parse/push-adapter
      Depends on vulnerable versions of @parse/simple-mailgun-adapter
      Depends on vulnerable versions of follow-redirects
      node_modules/parse-server

node-forge  <1.0.0
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-forge
  @parse/node-apn  *
  Depends on vulnerable versions of node-forge
  node_modules/@parse/node-apn
    @parse/push-adapter  >=3.0.10
    Depends on vulnerable versions of @parse/node-apn
    node_modules/@parse/push-adapter
      parse-server  >=2.7.0
      Depends on vulnerable versions of @graphql-tools/links
      Depends on vulnerable versions of @parse/push-adapter
      Depends on vulnerable versions of @parse/simple-mailgun-adapter
      Depends on vulnerable versions of follow-redirects
      node_modules/parse-server

pac-resolver  <=4.2.0
Severity: high
Code Injection in pac-resolver - https://github.com/advisories/GHSA-9j49-mfvp-vmhm
Depends on vulnerable versions of netmask
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/pac-resolver
  pac-proxy-agent  <=4.1.0
  Depends on vulnerable versions of pac-resolver
  node_modules/pac-proxy-agent
    proxy-agent  1.1.0 - 4.0.1
    Depends on vulnerable versions of pac-proxy-agent
    node_modules/proxy-agent
      mailgun-js  >=0.6.8
      Depends on vulnerable versions of proxy-agent
      node_modules/mailgun-js
        @parse/simple-mailgun-adapter  <=1.2.0
        Depends on vulnerable versions of mailgun-js
        node_modules/@parse/simple-mailgun-adapter
          parse-server  >=2.7.0
          Depends on vulnerable versions of @graphql-tools/links
          Depends on vulnerable versions of @parse/push-adapter
          Depends on vulnerable versions of @parse/simple-mailgun-adapter
          Depends on vulnerable versions of follow-redirects
          node_modules/parse-server

14 vulnerabilities (3 low, 10 high, 1 critical)

And here is my package.json file. The x's are just redactions. In the published file, there is real data.

{
    "name": "xxx-parse-server",
    "version": "2.5.0",
    "description": "xxx server using the parse-server module",
    "private": true,
    "main": "index.js",
    "repository": {
        "type": "git",
        "url": "https://github.com/xxx/xxx.git"
    },
    "license": "MIT",
    "dependencies": {
        "@sendgrid/helpers": "7.x.x",
        "@sendgrid/mail": "7.x.x",
        "async": "^3.2.3",
        "cheerio": "~1.0.0-rc.10",
        "cluster": "0.x.x",
        "connect-timeout": "1.x.x",
        "cors": "2.x.x",
        "debug": "^4.3.3",
        "express": "4.x.x",
        "hat": "0.x.x",
        "html-pdf": "^3.0.1",
        "moment": "2.x.x",
        "mongodb": "4.x.x",
        "parse": "3.4.1",
        "parse-server": "^4.10.4",
        "qr-image": "3.x.x",
        "request": "2.88.2",
        "url-parse": "1.x.x",
        "valid-url": "1.x.x",
        "zxcvbn": "4.x.x"
    },
    "resolutions": {
        "lodash": "^4.17.21"
    },
    "scripts": {
        "start": "node index.js"
    },
    "engines": {
        "node": "16",
        "npm": "8"
    }
}

Here is the audit report for parse-server 5.0.0.alpa.23:

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '[email protected]',
npm WARN EBADENGINE   required: { node: '>=12.20.0 <16' },
npm WARN EBADENGINE   current: { node: 'v16.13.2', npm: '8.1.2' }
npm WARN EBADENGINE }
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: The `apollo-tracing` package is no longer part of Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#tracing for details
npm WARN deprecated [email protected]: The `graphql-extensions` API has been removed from Apollo Server 3. Use the plugin API instead: https://www.apollographql.com/docs/apollo-server/integrations/plugins/
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: The functionality provided by the `apollo-cache-control` package is built in to `apollo-server-core` starting with Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#cachecontrol for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead

added 502 packages, and audited 503 packages in 13s

41 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (3 low, 4 high)

My questions is, can fix these vulnerabilities? Running "npm audit fix" doesn't work, because it downgrades parse-server, and I don't want to do that. Are these vulnerabilities known by the Parse community, and are they acceptable, or is there something wrong with my installation?

I can give more information as needed, but I'm not sure what else can help here. Thank you all in advance for taking your time to look at this and offer any help you can.

node.jsparse-server


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions