a high severity vulnerability introduced in highcharts-export-server

[ayaka-kms]

Hi, @cvasseng, a vulnerability https://www.npmjs.com/advisories/1464 is introduced in highcharts-export-server via:
● highcharts-export-server@2.1.0 ➔ phantomjs-prebuilt@2.1.14 ➔ request@2.79.0 ➔ hawk@3.1.3 ➔ cryptiles@2.0.5

phantomjs-prebuilt is a legacy package. It has not been maintained for about 3 years, and is not likely to be updated.
Is it possible to migrate phantomjs-prebuilt to other package to remediate this vulnerability?

I noticed several migration records for phantomjs-prebuilt in other js repos, such as

1. in backstopjs, version 3.8.9 ➔ 3.9.0, remove phantomjs-prebuilt via commit
2. in aegir, version 8.1.2 ➔ 9.0.0, remove phantomjs-prebuilt via commit

Are there any efforts planned that would remediate this vulnerability or migrate recompose?

Thanks
; )

[KacperMadej]

Hello,

Thank you for reporting the problem.

We are currently in the middle of implementing some big changes for the export server - changing from outdated PhantomJS to Puppeteer. A beta version for testing is expected later this year. The transition is planned for Q4 2021 - Q1 2022.

Because of this, all minor fixes are placed on hold and will be picked up after the transition - in case the transition itself won't fix the problems. If the problem that you have currently is critical for security reasons it will be fixed right away, but other problems will have to wait a bit. While waiting we will be trying to suggest a workaround solution for you.

Thank you for your patience and understanding.

The transition explained above should resolve this problem.

[ssgriffen]

@KacperMadej Any update on the above transition planned for Q4 2021 - Q1 2022?

[KacperMadej]

The transition will not be done in Q4 2021. There is no update - Q1 2022 is still the target.
Is there anything else to add here? @madepiet @PaulDalek

[joeSalvadorLauret]

@KacperMadej is Q1 2022 still the target to be achieved? (My question is because there is only a month left) Are there any updates about the transition?

Thanks in advance for the info

[KacperMadej]

@joeSalvadorLauret

is Q1 2022 still the target to be achieved?

Yes, the current internal ETA is about 3 weeks, so if everything goes well it will be published around the end of March and the beginning of April. The possibility of going into Q2 is "moderate to high", but we are actively working on the code - it will be published when safe and ready.

[joeSalvadorLauret]

@joeSalvadorLauret

is Q1 2022 still the target to be achieved?

Yes, the current internal ETA is about 3 weeks, so if everything goes well it will be published around the end of March and the beginning of April. The possibility of going into Q2 is "moderate to high", but we are actively working on the code - it will be published when safe and ready.

@KacperMadej Oh mann Just hoping you're right!! :) We're waiting for the good news!

Still wondering if it will come in time..

[carlosloureda]

Hi! Just hit this vulnerability. Didn´t see the version 3 released. Which is the state for that release? Thanks

[jszuminski]

We're trying hard to reduce vulnerabilities in the latest Puppeteer-based version of the Export Server and this should no longer be a problem.

I encourage you to try it out, here's a short setup guide: https://github.com/highcharts/node-export-server#puppeteer-version-information

Please feel free to report any problems you encounter with the newest version and we will investigate it.