security: upgrade parcel-bundler from 1.12.4 to 1.12.5

[jawnsy]

Upgrade parcel-bundler due to a transitive dependency on is-svg.
This resolves CVE-2021-28092.

Notes

This issue is not flagged by audit-ci or yarn audit for some reason, but both Dependabot Alerts and Trivy flag this. Yarn

[coder@jawnsy-m code-server]$ yarn why is-svg
=> Found "[email protected]"
info Reasons this module exists
   - "parcel-bundler#cssnano#cssnano-preset-default#postcss-svgo" depends on it
   - Hoisted from "parcel-bundler#cssnano#cssnano-preset-default#postcss-svgo#is-svg"
Done in 0.56s.

Before

[coder@jawnsy-m code-server]$ trivy filesystem .
yarn.lock
=========
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| is-svg  | CVE-2021-28092   | HIGH     | 3.0.0             | 4.2.2         | nodejs-is-svg: ReDoS                  |
|         |                  |          |                   |               | via malicious string                  |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28092 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+

After

[coder@jawnsy-m code-server]$ trivy filesystem .
yarn.lock
=========
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[oxy]

Thinking out loud here - is there any reason yarn resolved to both 7.13.13 and 7.13.15?

[jawnsy]

@jsjoeio taught me yarn why and it seems to have the hint

[coder@jawnsy-m code-server]$ yarn why @babel/parser
yarn why v1.22.10
[1/4] Why do we have the module "@babel/parser"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "@babel/[email protected]"
info Has been hoisted to "@babel/parser"
info Reasons this module exists
   - Hoisted from "parcel-bundler#@babel#parser"
   - Hoisted from "parcel-bundler#@babel#template#@babel#parser"
   - Hoisted from "parcel-bundler#@babel#core#@babel#parser"
   - Hoisted from "parcel-bundler#@babel#traverse#@babel#parser"
info Disk size without dependencies: "1.54MB"
info Disk size with unique dependencies: "1.54MB"
info Disk size with transitive dependencies: "1.54MB"
info Number of shared dependencies: 0
=> Found "@stylelint/postcss-css-in-js#@babel/[email protected]"
info Reasons this module exists
   - "stylelint#@stylelint#postcss-css-in-js#@babel#core" depends on it
   - Hoisted from "stylelint#@stylelint#postcss-css-in-js#@babel#core#@babel#parser"
info Disk size without dependencies: "1.53MB"
info Disk size with unique dependencies: "1.53MB"
info Disk size with transitive dependencies: "1.53MB"
info Number of shared dependencies: 0
Done in 0.56s.

I did yarn upgrade parcel-bundler and then manually updated the package.json, then ran yarn install to update the lock file -- so I have no clue if this is due to the way that I updated things. I was trying to minimize changes but would be happy to also update stylelint if the duplicate dependency might be a problem here?

[oxy]

Similar here - there doesn't appear to be any reason to pull two different versions 🤔
I feel like this is a sign of something funny with yarn, but 🤷

[oxy]

I've asked on the yarn discord about the weird "duplicate" resolutions - I'll let you know when they get back.

Edit: In addition - since its from parcel-bundler -> cssnano -> ... in devDependencies, this isn't a major security concern for any code-server users; its just a nice-to-fix.

I think (though this is only a guess) audit-ci may only be auditing dependencies and not devDependencies.

[scinos]

You may want to look at https://github.com/atlassian/yarn-deduplicate to solve the duplication

[jawnsy]

I think (though this is only a guess) audit-ci may only be auditing dependencies and not devDependencies.

@oxy I've seen some weirdness with yarn audit, but the docs say that it defaults to auditing all of them:

--groups <group_name> [<group_name> ...] Only audit dependencies from listed groups. Default: devDependencies, dependencies, optionalDependencies (default: devDependencies,dependencies,optionalDependencies)

And testing with the different groups seems to show different results:

[coder@jawnsy-m code-server]$ yarn audit --level=low 
yarn audit v1.22.10
0 vulnerabilities found - Packages audited: 1263
Done in 1.00s.
[coder@jawnsy-m code-server]$ yarn audit --level=low --groups devDependencies
yarn audit v1.22.10
0 vulnerabilities found - Packages audited: 1147
Done in 1.18s.
[coder@jawnsy-m code-server]$ yarn audit --level=low --groups dependencies
yarn audit v1.22.10
0 vulnerabilities found - Packages audited: 168
Done in 0.95s.
[coder@jawnsy-m code-server]$ yarn audit --level=low --groups optionalDependencies
yarn audit v1.22.10
0 vulnerabilities found - Packages audited: 0
Done in 0.86s.

[oxy]

Looks good! I'll see what I can do with deduplicating it in a future PR.