0

As part of a recent vulnerability (CVE-2021-3807), the npm package ansi-regex needs to be above 5.0.1 or 6.0.1 in all layers of docker images.

What is a systematic way to upgrade the global npm packages?

The command npx npm-force-resolutions does not work on global packages (npm i -g or globally pre-installed packages).

Sohail Si
  • 2,750
  • 2
  • 22
  • 36
  • Does this answer your question? [How do I override nested NPM dependency versions?](https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions) – Joe Oct 16 '21 at 20:59
  • No. Note that this https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions is not related, as it is about a local package. My (this) question is about global npm packages. – Sohail Si Oct 22 '21 at 13:08

2 Answers2

1

This is an old thread, but it may still help some people. The answer is you don't use NPM in your final container image.

For example, with Docker multistage build it will be something like that

# Build stage
FROM node:16-alpine3.15 as build

# Install dependencies
WORKDIR /
COPY package-lock.json .
COPY package.json .
RUN npm ci --production

# Final stage
FROM alpine:3.15 as final

# Upgrade APK
RUN apk --no-cache add --upgrade nodejs~16

# Setup application
RUN mkdir -p /app/simple-server
WORKDIR /app/simple-server
COPY . .
COPY --from=build node_modules node_modules

# Run App
ENTRYPOINT ["node", "index.js"]

You can see the final image doesn't have NPM, which is still vulnerable to CVE-2021-3807.

Artem A.
  • 46
  • 3
-1

This is not a clean solution but it worked in a certain situation. The following scripts worked in alpine Linux with nodejs 14.8.1

The main script does a deep upgrade:

#!/usr/bin/env bash
find /usr/lib \
| grep ansi-regex/pack \
| sed -e 's/node_modules\/ansi-regex\/package.json$//' \
| xargs -I {} sh /root/scripts/upgrade_ansi_regex_in_submodule.sh {}

where the script /root/scriptsupgrade_ansi_regex_in_submodule.sh fixes each global submodule:

#!/usr/bin/env bash
# Fixes Vulnerability CVE-2021-3807 in the given npm (global) package in given folder
# $1 = base directory for the submodule

set -e

printf "Fixing vulunerability of ansi-regex in $1 \n"
cd $1
ls ./node_modules/ansi-regex

printf "The Before package version:"
cat node_modules/ansi-regex/package.json | grep "version\":"

npm i -f ansi-regex@5.0.1 --save

printf "The After package version:"
cat node_modules/ansi-regex/package.json | grep  "version\":"

printf "... done $1\n-------\n\n"
Sohail Si
  • 2,750
  • 2
  • 22
  • 36
  • this assumes incorrectly that the underlying modules using ansi-regex can use the major version bump to 5.0.1. Which you can't. You can try this but you may end up breaking your dependencies. The short answer is there is NO clean way to do this without either monkeying with package-lock.json or getting the package maintainers to upgrade their libraries. – Joe Oct 16 '21 at 20:59
  • There is no `package-lock.json` for global npm modules. I couldn't see it. your suggestion is wrong. As you said, there is no clean way to do this. But you didn't give a better solution to fix vulnerability CVE-2021-3807 (declared only last month). Your solution regarding package-lock.json is simply wrong. See this: https://stackoverflow.com/questions/14905375/lock-global-npm-packages – Sohail Si Oct 22 '21 at 13:13