Ghost-cli v1.27; npm vulnerabilities

Developer help Self-hosting
1

After updating ghost cms today to v5.109.5, I saw that ghost-cli also had an update available, so I updated it as well.

uname -a
FreeBSD sojourner 14.2-RELEASE-p1 FreeBSD 14.2-RELEASE-p1 GENERIC amd64

$ node -v
v20.18.1

$ npm -v
10.9.2
  1. Noticed that the note to update ghost-cli doesn’t seem to interfere with the ghost cms update and thought that was odd?! CLI update is not a prerequisite to updating CMS? There’s no option in the CMS update workflow logic. You know best, I’m just curious if that’s an oversight?
  2. Updating ghost-cli output a list of 10 vulnerabilties in dependencies that I wanted to run by you to see how I can handle these, whether these are on your radar and maybe not relevant or …?
$ npm list
sojourner@ /usr/local/www/sojourner
├── ghost-cli@1.27.0
├── libvips@0.0.2
└── sharp@0.33.0

Are you aware of these vulnerabilties?
I ran npm audit fix prior to the output below, didn’t want to --force it though.

$ npm audit
# npm audit report

got  <=11.8.3
**Severity: high**
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install ghost-cli@0.0.2, which is a breaking change
node_modules/download/node_modules/got
node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/download
  ghost-cli  *
  Depends on vulnerable versions of download
  Depends on vulnerable versions of got
  Depends on vulnerable versions of latest-version
  Depends on vulnerable versions of moment
  Depends on vulnerable versions of mysql2
  Depends on vulnerable versions of validator
  node_modules/ghost-cli
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/latest-version/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version

http-cache-semantics  <4.1.1
**Severity: high**
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install ghost-cli@0.0.2, which is a breaking change
node_modules/download/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/download/node_modules/cacheable-request

moment  <=2.29.3
**Severity: high**
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix --force`
Will install ghost-cli@0.0.2, which is a breaking change
node_modules/moment

mysql2  <=3.9.7
**Severity: critical**
mysql2 Remote Code Execution (RCE) via the readCodeFor function - https://github.com/advisories/GHSA-fpw7-j2hg-69v5
MySQL2 for Node Arbitrary Code Injection - https://github.com/advisories/GHSA-4rch-2fh8-94vw
mysql2 vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-pmh2-wpjm-fj45
mysql2 cache poisoning vulnerability - https://github.com/advisories/GHSA-mqr2-w7wj-jjgr
mysql2 vulnerable to Prototype Poisoning - https://github.com/advisories/GHSA-49j4-86m8-q2jw
fix available via `npm audit fix --force`
Will install ghost-cli@0.0.2, which is a breaking change
node_modules/mysql2

validator  <13.7.0
**Severity: moderate**
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
fix available via `npm audit fix --force`
Will install ghost-cli@0.0.2, which is a breaking change
node_modules/validator

10 vulnerabilities (4 moderate, 4 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Any suggestions on how to resolve these issues would be greatly appreciated.
~ Cheers :blush:

2

Ghost defines the required CLI version in its package.json; the CLI should prevent you from updating if it doesn’t meet this requirement. Note that e.g. you might need to use an older CLI version when installing older versions of Ghost, so it wouldn’t be good if the CLI required you to be on the latest version.

The Core team has historically stated that they track security advisories internally and update as required. Unfortunately npm audit has some flaws such as surfacing potentially non-issues to end users.

2 Likes
3

Thanks for writing, Vikas :grinning:

So there is a ghost-cli update but I don’t seem to be able to upgrade …

$ ghost version

Ghost-CLI version: 1.26.1
Ghost version: 5.109.6

So is the ghost-cli upgrade failure normal at this point?

$ npm install ghost-cli@latest

up to date, audited 604 packages in 6s

154 packages are looking for funding
  run `npm fund` for details

10 vulnerabilities (4 moderate, 4 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Do I wait for some point in the future where both ghost and cli will rectify their versions and dependencies et al?

PS: I don’t install globally

4

This usually occurs when you have multiple versions of the CLI installed - whereis ghost will show you :slight_smile:

If I install a package locally, I usually have to use the package manager to run (e.g. yarn ghost ... - not sure what it is for npm :grimacing:) Ghost, is that not required for you?

5 
$ whereis ghost
ghost: /home/huibuh/.npm-global/bin/ghost

Grok just suggested that I run

$ npm install ghost-cli@latest --no-audit

Note: running npm as the user that also runs ghost cms

That approach negated the vulnerability errors but also didn’t upgrade cli to v1.27.

If it’s not critical, then I can wait until this all rectifies itself unless it won’t?

Is yarn a better approach than using npm? If so, I’m happy to get rid of npm and would need to know how to replace it with yarn and the proper way of using it to manage … maybe ghost.org has some notes on that?

6

… got instructions from Grok on how to set up yarn … I’ll close this post if that solves the problem :smirk:

7

nvm turned out to be more of a pain in the ass as one thing after another went sideways - for one, it appears to be hellbent on using gcc and no matter how specific Grok & I got in running configure, it just refused to accept to use clang. I’m not installing gcc.

So I completely cleaned up and in my usual caveman style, ripped out all node, node-npm and all user level config directories and reinstalled node, node-npm, yarn and ghost-cli …

… now running a most squeaky clean server I’ve had yet. AND ghost-cli, for some reason, is now at version 1.27!

Mission accomplished - LOL

1 Like