Snyk: snowflake-connector-nodejs word-wrap 1.2.3 | Snyk ID - SNYK-JS-WORDWRAP-3149973

[github-actions]

Title: Snyk: snowflake-connector-nodejs word-wrap 1.2.3
Additional information on Snyk can be found here: https://snyk.io/org/snowflakedb-sca-scanning-public-repo/project/957b80fa-27c7-404f-98b8-90d7c14dc6ef
Repo: snowflake-connector-nodejs
CVE: CVE-2023-26115
Package Type: js
Package Name: word-wrap
Package Version: 1.2.3
Snyk ID: SNYK-JS-WORDWRAP-3149973
Vulnerability URL: http://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973
Severity: medium
Introduced Date: 2023-03-23
Projects with Vulnerability: snowflakedb/snowflake-connector-nodejs:package.json
Target File: package.json
JIRA Ticket: https://snowflakecomputing.atlassian.net/browse/SNOW-767109

[sfc-gh-dszmolka]

jonschlinkert/word-wrap#33

[bgswilde]

Hey Snowflake team. Any update on this from your end? I've seen past issues/prs involving urllib, but doesn't seem like you wanted to tackle this? Version 3 doesn't include the problematic dependencies that seem to be causing multiple vulnerabilities that the version you use is bringing in.

[sfc-gh-dszmolka]

hey @bgswilde apologies for not being more transparent on this one. behind the curtains we're very much busy with this so I would not say we don't want to tackle this issue.

We cannot just simply bump the urllib dependency to version 3.x and be done with it, because that would also require refactoring and testing efforts in other parts of the driver, as urllib version 3.0.0 and up comes with a breaking change.

we're considering short-term workarounds and long-term solutions to address this security issue. Will post here any updates once they are agreed-upon and available.

[bgswilde]

@sfc-gh-dszmolka thanks for the update!

[tony-snoop]

FYI: Upvoting this issue as this vulnerability is also being flagged on our end by snyk:

snowflake-sdk@1.6.22 › urllib@2.40.0 › proxy-agent@5.0.0 › pac-proxy-agent@5.0.0 › pac-resolver@5.0.1 › degenerator@3.0.4 › escodegen@1.14.3 › optionator@0.8.3 › word-wrap@1.2.3

[sfc-gh-dszmolka]

(this is still not forgotten and very much on the table. but as you can see in the original PR opened for the original word-wrap vulnerability (link), even there is a disagreement on the approach and we would like to be careful what and how to make part of our driver. thank you all for bearing with us!)

[Martin-Locker]

The direct dependent (optionator 0.9.3) uses now the fixed lib"@aashutoshrathi/word-wrap".
But I think it will be necessary to upgrade to urllib 3.x. And even that will not help, because degenerator does not use the new version of escodegen. npm hell...It is possible the get rid of urllib? There are other vulnerabilities like in semver.

Actual Problem:
-- snowflake-sdk@1.6.22 -- urllib@2.40.0
-- proxy-agent@5.0.0 -- pac-proxy-agent@5.0.0
-- pac-resolver@5.0.1 -- degenerator@3.0.4
-- escodegen@1.14.3 -- optionator@0.8.3
`-- word-wrap@1.2.3

Problem with semver (os-name is fixed, but seem not to be merged link )

+-- snowflake-sdk@1.6.22
| +-- jsonwebtoken@9.0.0
| | -- semver@7.5.1 deduped | -- urllib@2.40.0
| -- default-user-agent@1.0.0 | -- os-name@1.0.3
| -- win-release@1.1.1 | -- semver@5.7.1

[sfc-gh-dszmolka]

entirely replacing the dependency which provides the very core functionality of snowflake-sdk (talking to Snowflake over HTTP) is not a trivial task, but indeed it is on the agenda - and is not in scope for this particular Issue.
Even the urllib upgrade needs refactor due to the aforementioned breaking change.

what is in scope is fixing the word-wrap vulnerability where we on the short term will probably take the approach as everyone else out there; override the vulnerable word-wrap library with the fixed one, since the original developer doesn't seem to be merging the fix into their module.

as there's any new information will post here. thank you everyone for bearing with us !

[sfc-gh-dszmolka]

#527