Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

Babel CLI vulnerability in Javascript ES6 generator

Created by: freemanchen

Description

The babel upgrades done to the Javascript Flowtyped generator are needed in the Javascript ES6 generator as well. The 6.26.0 version of babel-cli causes a lot of npm audit vulnerabilities

openapi-generator version

Using the latest 4.0.3 release, ES6 Javascript generator

OpenAPI declaration file content or url
Command line used for generation

Running the following command in a CI step:

OPENAPI_GENERATOR_VERSION=4.0.3 \
  openapi-generator-cli generate \
  -i $OPENAPI_SPEC \
  -g javascript \
  -o $HOME/temp-build/codegen/ \
  --additional-properties usePromises=true \
  --additional-properties projectName="[...]" \
  --additional-properties modelPropertyNaming="camelCase"

Running an npm audit returns many vulnerabilities similar to the following:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-cli                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ babel-cli > chokidar > anymatch > micromatch > braces        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
Steps to reproduce
  1. Generate an ES6 Javascript client
  2. Run npm install
  3. npm audit will warn about vulnerabilities due to dependencies of babel-cli
Related issues/PRs

https://github.com/OpenAPITools/openapi-generator/pull/3121

Fixed for Javascript-Flowtyped generator in this previous PR by upgrading to @babel/cli: ^7.0.0 along with other related packages.

Suggest a fix/enhancement

Upgrade the same babel packages for the Javascript ES6 generator here: https://github.com/OpenAPITools/openapi-generator/blob/master/modules/openapi-generator/src/main/resources/Javascript/es6/package.mustache