Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Consider removing/replacing update-notifier

See original GitHub issue

This is the dependency tree I got from installing nodemon in an empty project:

└─┬ nodemon@2.0.15
  ├─┬ chokidar@3.5.2
  │ ├─┬ anymatch@3.1.2
  │ │ ├── normalize-path@3.0.0 deduped
  │ │ └── picomatch@2.3.0
  │ ├─┬ braces@3.0.2
  │ │ └─┬ fill-range@7.0.1
  │ │   └─┬ to-regex-range@5.0.1
  │ │     └── is-number@7.0.0
  │ ├── fsevents@2.3.2
  │ ├─┬ glob-parent@5.1.2
  │ │ └── is-glob@4.0.3 deduped
  │ ├─┬ is-binary-path@2.1.0
  │ │ └── binary-extensions@2.2.0
  │ ├─┬ is-glob@4.0.3
  │ │ └── is-extglob@2.1.1
  │ ├── normalize-path@3.0.0
  │ └─┬ readdirp@3.6.0
  │   └── picomatch@2.3.0 deduped
  ├─┬ debug@3.2.7
  │ └── ms@2.1.3
  ├── ignore-by-default@1.0.1
  ├─┬ minimatch@3.0.4
  │ └─┬ brace-expansion@1.1.11
  │   ├── balanced-match@1.0.2
  │   └── concat-map@0.0.1
  ├── pstree.remy@1.1.8
  ├── semver@5.7.1
  ├─┬ supports-color@5.5.0
  │ └── has-flag@3.0.0
  ├─┬ touch@3.1.0
  │ └─┬ nopt@1.0.10
  │   └── abbrev@1.1.1
  ├── undefsafe@2.0.5
  └─┬ update-notifier@5.1.0
    ├─┬ boxen@5.1.2
    │ ├─┬ ansi-align@3.0.1
    │ │ └── string-width@4.2.3 deduped
    │ ├── camelcase@6.2.1
    │ ├── chalk@4.1.2 deduped
    │ ├── cli-boxes@2.2.1
    │ ├─┬ string-width@4.2.3
    │ │ ├── emoji-regex@8.0.0
    │ │ ├── is-fullwidth-code-point@3.0.0
    │ │ └─┬ strip-ansi@6.0.1
    │ │   └── ansi-regex@5.0.1
    │ ├── type-fest@0.20.2
    │ ├─┬ widest-line@3.1.0
    │ │ └── string-width@4.2.3 deduped
    │ └─┬ wrap-ansi@7.0.0
    │   ├── ansi-styles@4.3.0 deduped
    │   ├── string-width@4.2.3 deduped
    │   └── strip-ansi@6.0.1 deduped
    ├─┬ chalk@4.1.2
    │ ├─┬ ansi-styles@4.3.0
    │ │ └─┬ color-convert@2.0.1
    │ │   └── color-name@1.1.4
    │ └─┬ supports-color@7.2.0
    │   └── has-flag@4.0.0
    ├─┬ configstore@5.0.1
    │ ├─┬ dot-prop@5.3.0
    │ │ └── is-obj@2.0.0
    │ ├── graceful-fs@4.2.8
    │ ├─┬ make-dir@3.1.0
    │ │ └── semver@6.3.0
    │ ├─┬ unique-string@2.0.0
    │ │ └── crypto-random-string@2.0.0
    │ ├─┬ write-file-atomic@3.0.3
    │ │ ├── imurmurhash@0.1.4
    │ │ ├── is-typedarray@1.0.0
    │ │ ├── signal-exit@3.0.6
    │ │ └─┬ typedarray-to-buffer@3.1.5
    │ │   └── is-typedarray@1.0.0 deduped
    │ └── xdg-basedir@4.0.0 deduped
    ├── has-yarn@2.1.0
    ├── import-lazy@2.1.0
    ├─┬ is-ci@2.0.0
    │ └── ci-info@2.0.0
    ├─┬ is-installed-globally@0.4.0
    │ ├─┬ global-dirs@3.0.0
    │ │ └── ini@2.0.0
    │ └── is-path-inside@3.0.3
    ├── is-npm@5.0.0
    ├── is-yarn-global@0.3.0
    ├─┬ latest-version@5.1.0
    │ └─┬ package-json@6.5.0
    │   ├─┬ got@9.6.0
    │   │ ├── @sindresorhus/is@0.14.0
    │   │ ├─┬ @szmarczak/http-timer@1.1.2
    │   │ │ └── defer-to-connect@1.1.3
    │   │ ├─┬ cacheable-request@6.1.0
    │   │ │ ├─┬ clone-response@1.0.2
    │   │ │ │ └── mimic-response@1.0.1 deduped
    │   │ │ ├─┬ get-stream@5.2.0
    │   │ │ │ └── pump@3.0.0 deduped
    │   │ │ ├── http-cache-semantics@4.1.0
    │   │ │ ├─┬ keyv@3.1.0
    │   │ │ │ └── json-buffer@3.0.0
    │   │ │ ├── lowercase-keys@2.0.0
    │   │ │ ├── normalize-url@4.5.1
    │   │ │ └─┬ responselike@1.0.2
    │   │ │   └── lowercase-keys@1.0.1 deduped
    │   │ ├─┬ decompress-response@3.3.0
    │   │ │ └── mimic-response@1.0.1 deduped
    │   │ ├── duplexer3@0.1.4
    │   │ ├─┬ get-stream@4.1.0
    │   │ │ └─┬ pump@3.0.0
    │   │ │   ├─┬ end-of-stream@1.4.4
    │   │ │   │ └── once@1.4.0 deduped
    │   │ │   └─┬ once@1.4.0
    │   │ │     └── wrappy@1.0.2
    │   │ ├── lowercase-keys@1.0.1
    │   │ ├── mimic-response@1.0.1
    │   │ ├── p-cancelable@1.1.0
    │   │ ├── to-readable-stream@1.0.0
    │   │ └─┬ url-parse-lax@3.0.0
    │   │   └── prepend-http@2.0.0
    │   ├─┬ registry-auth-token@4.2.1
    │   │ └─┬ rc@1.2.8
    │   │   ├── deep-extend@0.6.0
    │   │   ├── ini@1.3.8
    │   │   ├── minimist@1.2.5
    │   │   └── strip-json-comments@2.0.1
    │   ├─┬ registry-url@5.1.0
    │   │ └── rc@1.2.8 deduped
    │   └── semver@6.3.0
    ├─┬ pupa@2.1.1
    │ └── escape-goat@2.1.1
    ├─┬ semver-diff@3.1.1
    │ └── semver@6.3.0
    ├─┬ semver@7.3.5
    │ └─┬ lru-cache@6.0.0
    │   └── yallist@4.0.0
    └── xdg-basedir@4.0.0

update-notifier pulls in more dependencies than the rest of nodemon.

I personally think that the drawbacks from keeping outweigh the benefits:

The attack surface is increased, and having many dependencies makes it harder to vet the nodemon dependency tree.
- Over the years, several vulnerability reports for nodemon dependencies have come from the update-notifier tree. Not all of the vulnerabilities affect nodemon, but again, it’s not easy to immediately tell.
- Dependency chain attacks are becoming more common.
- Currently, npm outdated reports that about 70 requirements are at least 1 major version behind. I’m sure that some of the updates are not currently necessary, but perhaps they may soon.
In the ~8 years since update-notifier was added, the ecosystem has improved visibility and handling of dependency updates. We have npm outdated and yarn upgrade-interactive, and npx nodemon without an explicit dependency will try to run the latest version by default.

Thoughts?

Issue Analytics

State:
Created 2 years ago
Reactions:22
Comments:14 (4 by maintainers)

Top GitHub Comments

6reactions

jimmywartingcommented, Feb 18, 2022

I would rather have something as small and dependency free version like this running each and every time than having to load 84 modules and risk getting any security issues

const fs = require('node:fs/promise')
const https = require('node:https')

https.get('https://registry.npmjs.org/nodemon', async response => {
    let body = ''
    for await (const chunk of response) body += chunk
    const json = JSON.parse(body)
    const latest = json['dist-tags']['latest'].split('-')[0]
    const pkg = await fs.readFile(`${__dirname}/../../package.json`, 'utf8')
    const pkgJson = JSON.parse(pkg)
    if (latest.localeCompare(pkgJson.version, 'en', {numeric: true}) === -1) {
        console.info(`New version of nodemon is available update to ${latest}`)
    }
})

// haven't tested this code but should work

but preferable nothing at all - just run npm deprecate nodemon@2.0.2 new version available, update to 2.1.0

every sub dependency that you have no control over is a potentially security risk

6reactions

aledalgrandecommented, Jan 4, 2022

Just my 2c, but I agree with OP. Currently update-notifier has vulnerabilities in its dependencies, some that don’t seem to be actively maintained (e.g. https://github.com/nexdrew/ansi-align/issues/61).

Yes, it adds the ability to automatically notify, but we have other specialized tools nowadays for that that run in CI. What we don’t have right now is the ability to update that ansi dep that has a security issue. Removing so many dependencies from Nodemon would increase security considerably.

Let me know what you think and if you need help.

Top Results From Across the Web

mikeihbe-profanity-cleanser - npm package | Snyk

npm module for removing/replacing profane words For more information about ... update-notifier ... An important project maintenance signal to consider for ...

update-notifier - npm

update-notifier. Update notifications for your CLI app. Inform users of your package of updates in a non-intrusive way.

Put the fun back into computing. Use Linux, BSD. - DistroWatch.com

And speaking of automatic update notifier, Salix has a nice feature where when ... Debian with one of the recipes for removing/replacing/disabling systemd....

nodemon - bytemeta

Consider removing/replacing update-notifier. kasicka. kasicka CLOSED · Updated 11 months ago · Why is version in package.json 0.0.0-development?