Audit and fix critical and high vulnerabilities in SPFx Toolkit

[Saurabh7019]

npm audit shows 25 vulnerabilities (4 low, 11 moderate, 9 high, 1 critical) in the SPFx Toolkit repository. Most of these issues are coming from our fork of cli-microsoft365 and do not appear in the main CLI for M365 repository. This task is to review and remediate critical and high vulnerabilities.

Audit Results

Critical

• form-data (4.0.0 - 4.0.3)
  • form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
  • fix available via npm audit fix
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/form-data

High

• axios (<=0.30.1)

  • Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
  • Axios is vulnerable to DoS attack through lack of data size check - GHSA-4hjh-wcwx-xvwj
  • axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - GHSA-jr5f-v2jv-69x6
  • No fix available
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/axios

• braces (<3.0.3)

  • Uncontrolled resource consumption in braces - GHSA-grv7-fg5c-xmjg
  • fix available via npm audit fix
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/braces

• cross-spawn (<6.0.6 || >=7.0.0 <7.0.5)

  • Regular Expression Denial of Service (ReDoS) in cross-spawn - GHSA-3xgq-45jj-v275
  • fix available via npm audit fix
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/cross-spawn
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/execa/node_modules/cross-spawn

• fast-xml-parser (4.1.3 - 4.2.3)

  • fast-xml-parser vulnerable to Regex Injection via Doctype Entities - GHSA-6w63-h3fj-q4vw
  • fix available via npm audit fix
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/fast-xml-parser

• http-cache-semantics (<4.1.1)

  • http-cache-semantics vulnerable to Regular Expression Denial of Service - GHSA-rc47-6667-2j5j
  • fix available via npm audit fix
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/http-cache-semantics

• node-forge (<=1.3.1)

  • node-forge has ASN.1 Unbounded Recursion - GHSA-554w-wpv2-vw27
  • node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - GHSA-5gfm-wpxj-wjgq
  • node-forge is vulnerable to ASN.1 OID Integer Truncation - GHSA-65ch-62r8-g69g
  • fix available via npm audit fix
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/node-forge
  • node_modules/node-forge

• path-to-regexp (0.2.0 - 1.8.0)

  • path-to-regexp outputs backtracking regular expressions - GHSA-9wv6-86v2-598j
  • fix available via npm audit fix
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/path-to-regexp

• semver (<5.7.2 || >=6.0.0 <6.3.1)

  • semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/async-listener/node_modules/semver
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/cls-hooked/node_modules/semver
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/diagnostic-channel/node_modules/semver
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/execa/node_modules/semver
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/make-dir/node_modules/semver
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/package-json/node_modules/semver
  • node_modules/@pnp/cli-microsoft365-spfx-toolkit/node_modules/semver-diff/node_modules/semver

[Adam-it]

Nothing to add. Will need to look into it 👍

[Adam-it]

I added
Adam-it/cli-microsoft365@10068ff

and managed to reduce the number of vulnerabilities to
15 vulnerabilities (4 low, 5 moderate, 6 high

It's a good start, but before I move forward, we need to do a minor to align dev with main so that on main branch we also be using @pnp/cli-microsoft365-spfx-toolkit