Bump npm dependencies (npm audit)

[knuton]

Manually bumped "bonjour" and "mocha" to latest versions, then ran npm audit fix.

Impact seems limited as all dependencies are used in dev/CI testing tools. Only possibly meaningful risk would be malicious network packages when replay tool is running on a dev machine.

Checklist

• Changelog updated
• Code documented

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​mocha@​10.8.2 ⏵ 11.7.6	+1		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[knuton]

Obfuscated code: npm js-yaml is 90.0% likely obfuscated
Confidence: 0.90

Don't see any issue with this, the package bundles minified builds for use in browsers.

That minified file is not referenced as executable by the package.json file (sadly, npm does not allow deep linking).

[dividat-jgu]

I still get warnings with npm audit:

 ~/Code/driver nix $ git l | head -n 2
5122239 (HEAD) Apply `npm audit fix`
a4ee5b3 Bump dev deps with vulnerable dependencies

 ~/Code/driver nix $ npm audit
# npm audit report

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/diff
  mocha  8.2.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

serialize-javascript  <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/serialize-javascript

3 vulnerabilities (1 low, 1 moderate, 1 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

I don’t understand why it suggests an older version of mocha.

[knuton]

I don’t understand why it suggests an older version of mocha.

I did not check, but I assumed that it thinks that the older version does not depend on the vulnerable versions of the libraries.

Since these libraries don't run on unknown input, I didn't think these issues were concerning and would just wait out an updated version of mocha (v12, I assume).

[dividat-jgu]

Running the driver and the replayer, I can see the Senso being connected and active on main, but on this branch, I can connect the driver but not the Senso nor any activation.

[knuton]

Thanks, sorry for not catching this myself.

The innocuous seeming bump PR in bonjour implies that there were some changes to how TXT entries are handled: watson/bonjour#82

watson/bonjour@v3.5.0...v3.5.1
watson/bonjour#85

I patched the logging code for service discovery:

diff --git i/src/dividat-driver/websocket/main.go w/src/dividat-driver/websocket/main.go
index fef0a96..652edfc 100644
--- i/src/dividat-driver/websocket/main.go
+++ w/src/dividat-driver/websocket/main.go
@@ -223,7 +223,8 @@ func (handle *Handle) dispatchCommand(ctx context.Context, log *logrus.Entry, co
 
 		go func(entries chan protocol.DeviceInfo) {
 			for entry := range entries {
-				log.WithField("service", entry).Debug("Discovered service.")
+				jsonb, _ := entry.MarshalJSON()
+				log.WithField("service", string(jsonb)).Debug("Discovered service.")
 
 				var message protocol.Message
 				message.Discovered = &entry

This shows that where on main the txt entry is [\"ser_no=31-00000000\",\"mode=Application\"], on this branch it is \"\\\\018ser_no=31-00000000\\\\016mode=Application\"]. Something stuffs up the encoding (or possibly decoding).

I rechecked the CVE for ip (the reason to bump), and it seems to be a missed case in a predicate function to detect public vs private IPs. Not something that actively does something, but something that gives false information based on which something might do something.

I wonder whether we should even bother with this update. Maybe the replay tool (and possibly tests) are minimal enough to allow us a rewrite in Go, Python (or of course Rust™) and avoid Node ecosystem entirely here.

[dividat-jgu]

Looking alright, I can now replay a signal and see the Senso being connected with the CoP. 👌