npm reports high severity issue in gltf-transform/cli dependency chain

[hybridherbst]

Describe the bug
npm complains about high-severity issues in @gltf-transform/cli:

To Reproduce
Steps to reproduce the behavior:

1. install @gltf-transform/cli

Expected behavior
No high-severity errors, these are scary, and then things break when people actually run the audit fix...

[donmccurdy]

Hi @hybridherbst!

I'll have to admit I take pretty dim view of npm audit (see “npm audit: Broken by design”). I've never seen it catch an actual vulnerability in a project I've worked on, in many years of reading its audits. The "high severity" threat model is typically:

If you are using {library} in a production server, loading arbitrary data sent by from malicious users, and then passing that data into {unspecified method} of {dependency}, then your server might be slowed down by very complex Regular Expression, effectively taking the server offline.

It will flag these DDoS errors on everything, including dependencies used only by the developer when compiling the project, where no end-user input is possible.

---

More practically — if you're processing inputs from untrusted users in a privileged production server environment, be very careful, and validate all inputs. There are various risks here that go beyond what glTF-Transform can realistically protect against (see: "JPEG malware"). I can say more about this privately, if applicable. If you are not processing inputs from untrusted users, your main concern is a dependency being replaced by malware, and these will be stripped from npm, not flagged in audits.

glTF-Transform is configured with Renovate, and dependencies are automatically updated when compatible bug and security fixes are available. At any given time there will probably be some warnings from npm audit of varying severity, but as new versions of the vulnerable dependencies are released, they will be pulled into this project.

At the moment, it appears that my dependency on Caporal is the root of most of these audit warnings. I've nudged them about the issue (mattallty/Caporal.js#243) but can't be sure when/if that will be updated.

Aside, I would encourage using the glTF-Transform programmatic API, rather than the CLI, in a server environment. This will improve performance, and eliminates many dependencies.

[hybridherbst]

Thanks for the elaborate response! I generally agree on npm audit but it seems some people are looking very carefully at the "high severity" things being logged by npm.

I'd like to get rid of the /cli dependency, but I think I must be missing something; I opened

• Support compressing KTX2 textures without CLI #675

for that.

[donmccurdy]

Unfortunately it seems that I can't do much directly about this, unless someone responds on the Caporal thread. I don't see any reason to believe there is a real vulnerability, just the usual npm noise, though I do understand why clients would want a clean npm audit.

Unless a more appealing CLI framework than Caporal appears (i haven't found one so far), I think the time is probably better spent on trying to support KTX2/Basis compression without requiring a CLI environment, so I'll close this issue in favor of:

• Support compressing KTX2 textures without CLI #675