Latest version of cli is pulling in insecure packages that have available patches

[G-Rath]

The latest version of the vercel cli is pulling in packages with known vulnerabilities that have available patches.

Current vulnerabilities:

• path-to-regexp v6.1.0, via @vercel/routing-utils and @vercel/remix-builder
  • ([node][routing-utils] Update path-to-regexp to v6.3.0 #12131, [node][routing-utils] Update path-to-regexp to v6.3.0 (internal) #12734 -> reverted: [remix-builder][node][routing-utils] revert path-to-regexp updates #12746)
  • GHSA-9wv6-86v2-598j
• path-to-regexp v6.2.1, via @vercel/node
  • ([node][routing-utils] Update path-to-regexp to v6.3.0 #12131, [node][routing-utils] Update path-to-regexp to v6.3.0 (internal) #12734 -> reverted: [remix-builder][node][routing-utils] revert path-to-regexp updates #12746)
  • GHSA-9wv6-86v2-598j
• debug v4.1.1, via @vercel/fun ([cli] Update @vercel/fun to v1.1.1 #11332, [cli] bump vercel/fun version #12701)
  • GHSA-gxpj-cx7g-858c
• semver v7.3.5, via @vercel/fun ([cli] Update @vercel/fun to v1.1.1 #11332, [cli] bump vercel/fun version #12701)
  • GHSA-c2qf-rxjj-qqgw
• tar v4.4.18, via @vercel/fun (patched in v1.1.5, just waiting for [cli] bump @vercel/fun to v1.1.5 #13070 to land)
  • GHSA-f5x3-32g6-xq36
• undici v5.28.4, via @vercel/node
  • GHSA-c76h-2ccp-4975
• esbuild v0.14.47, via @vercel/node and @vercel/gatsby-plugin-vercel-builder
  • GHSA-67mh-4wv8-2f99

While I don't believe any of these are exploitable in the context of this cli, they are a nuisance since non-breaking patches are available and security policies can make these expensive to ignore.

`npm audit` output as of 2025-02-11

# npm audit report

path-to-regexp  4.0.0 - 6.2.2
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/path-to-regexp
  @vercel/remix-builder  <=2.0.3 || >=5.2.4
  Depends on vulnerable versions of path-to-regexp
  node_modules/@vercel/remix-builder
    vercel  >=24.2.5-canary.0
    Depends on vulnerable versions of @vercel/fun
    Depends on vulnerable versions of @vercel/node
    Depends on vulnerable versions of @vercel/redwood
    Depends on vulnerable versions of @vercel/remix-builder
    node_modules/vercel
  @vercel/routing-utils  <=3.1.0 || >=5.0.0
  Depends on vulnerable versions of path-to-regexp
  node_modules/@vercel/routing-utils
    @vercel/redwood  >=0.6.1-canary.0
    Depends on vulnerable versions of @vercel/routing-utils
    node_modules/@vercel/redwood

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tar
  @vercel/fun  *
  Depends on vulnerable versions of tar
  node_modules/@vercel/fun

undici  4.5.0 - 5.28.4
Severity: moderate
Use of Insufficiently Random Values in undici - https://github.com/advisories/GHSA-c76h-2ccp-4975
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/undici
  @vercel/node  2.14.0 || >=3.0.2
  Depends on vulnerable versions of undici
  node_modules/@vercel/node

9 vulnerabilities (4 moderate, 5 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Related issues and pull requests:

• Dependabot alert for undici  #11201
• Update tar for security fun#104
• fix: Update vulnerable dependencies fun#98
• update prod packages with CVE vulnerabilities fun#95
• Fix ReDos regression - debug package fun#96

[soulofmischief]

Thanks for staying on top of this @G-Rath

[G-Rath]

Thanks, but unfortunately I'm not confident that they'll get addressed anytime soon - we're currently in the process of reviewing moving our Vercel apps to Netlify since they setup a whole internal workflow to stay on top of these updates in response to my equivalent issue about their cli (which is even more impressive given they use a shrink-wrap.json where Vercel just pins their top level dependences).

I will continue to update this issue for the foreseeable future though

[justinoboyle]

This is very important for organizations that have security policies that require packages to be updated with all security patches.

[G-Rath]

Added new GHSA-9wv6-86v2-598j vulnerability, and marked micromatch as patched

[mrmckeb]

I realise that these are probably low priority for the team as these are probably not issues for the CLI, but it would help teams like ours if these were cleaned up. Dependabot raises these as security issues, and we need to dig in and assess if they really are issues or not.

CC @trek to perhaps raise with the team.

[chrisdenton-ct]

Hello,

I've got all of these vulnerabilities showing up in GitHub - including undici, btw - though I'm mainly concerned about path-to-regexp and semver as they are both rated as high risk.

Now I appreciate that the vulnerabilities may not be exploitable and therefore the risk level is arguably wrong, but even so, we've still got to convince our external auditors of this, which is going to take time and if we fail to do so then that's our security certification up in smoke. I'm sure many other vercel users will have similar problems.

So I would like to respectfully request an update, and reiterate that whilst this may be low priority for some people it is not low priority for everyone. Far from it.

[gaelperon]

+1 @chrisdenton-ct

It's important for us too

[omonk]

@chrisdenton-ct - I emailed vercel security directly about this a few months ago.

Essentially they said they're always keeping track of potential security threats and they're aware of these reports but they don't consider them issues and they're not going to fix it

[burtek]

Apparently it's not an issue for Vercel if companies can't use Vercel because the nested dependencies are flagged. Strange business decision

[chrisdenton-ct]

@chrisdenton-ct - I emailed vercel security directly about this a few months ago.

Essentially they said they're always keeping track of potential security threats and they're aware of these reports but they don't consider them issues and they're not going to fix it

Thanks, that's useful to know, though obviously I find that response from vercel to be disappointing.

[omonk]

I'll try and dig out the email tomorrow

[gaelperon]

I have sent an email to the Vercel security team

[omonk]

I emailed the security team requesting they fix the issues listed in this specific issue

Their reply on 23 Sept 2024:

---

Thank you for contacting the Vercel security team. Our software is patched in alignment with our internal vulnerability management process timelines, which relies heavily on contextualisation of vulnerabilities (not just CVSS rating).

We'll patch this vulnerability in due course, but please understand this may not be immediate based on the context of the vulnerability. If you would like to see this patched sooner and to contribute to the open source software ecosystem, the team would welcome any PRs to the repository.

Please feel free to reach out if you have any further questions or concerns.

---

My thoughts

All of the reported vulnerabilities have PRs against them. Some are still failing CI but it does feel a bit spicy to ask for paying customers to fix the product they're paying to use.

[joey-ma]

For those who still wanted to resolve this, I was able to patch this by adding the following to my package.json:

  "overrides": {
    "@vercel/node": {
      "path-to-regexp": "8.2.0"
    }
  },

Can't promise I'll be able to open a PR 🙃, but definitely appreciate the open-source community!

[joey-ma]

Tried following the Contributing Guidelines to open a PR, but it seems like there's quite a bit going on here. I'd imagine it'll take a while just to get past "Make sure all the tests pass before making changes."

Some things I've noticed: packages/functions/ had several no-undef eslint errors.

Theoretically this should be fixable by changing the eslintConfig's parserOptions.ecmaVersion to 2020 and env.es2020 to true, but it didn't work for me here. Noticed there were also tons of packages in .eslintignore... but not packages/functions.

In addition, there were several failing unit tests as well. 🙃 Might be better for someone internal who's more familiar with the overall app + testing to take a look?

[G-Rath]

@joey-ma if you're trying to do a PR patching path-to-regexp, I've already done that (#12131) and the team have been trying to get it landed looks like it's now been landed! 🎉 (#12734)

If you'd like to help out, I would recommend exploring upgrading tar in @vercel/fun (vercel/fun#104) as that's had no attention and requires a major version bump through from my initial research it seemed like it should be safe to just do because the only breaking changes were in Node versions that @vercel/fun already has dropped support for.

edit: ok for path-to-regexp it seems it was patched for a short while but then the team decided they wanted to rollout some monitoring so they're reverted the upgrade: #12746

[G-Rath]

Happy new year everyone!

I've updated this to reflect changes - namely:

• path-to-regexp has changed: @vercel/node seems to no longer use it, but it is now being used by @vercel/remix-builder though at least it's the same version of @vercel/routing-utils so technically one instance of the vulnerability went away
• debug and semver have been addressed: the cli is now finally using the updated version of @vercel/fun
• esbuild has been added
• undici has been added