Preferred upgrade method for apostrophe core

If this is in the docs or how-tos I couldn’t find it () but is there a apostrophe-cli helper command or preferred method to upgrade the core apostrophe package, or is that simply done via npm?

Similarly, is there a preferred method for upgrading the dependencies of the core package? Even on the most recent version of the core package (v2.99), it seems the mongoDB dependency has “high risk” security vulnerabilities.

You’d do that with npm. The CLI commands are mostly around setting up the project and adding new modules. Again, npm audit fix is one way to update dependencies. But if core has security flags that’s something to report in an issue for us to get fixed.

How would I flag it as an issue? These are the issues with v2.99

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mongodb                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.13                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ apostrophe                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ apostrophe > connect-mongo > mongodb                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1203                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mongodb                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.13                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ apostrophe                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ apostrophe > mongodb                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1203                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Also just to have it here, the lodash dependency has vulnerabilities too

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ apostrophe                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ apostrophe > joinr > lodash                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ apostrophe                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ apostrophe > moog-require > lodash                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ apostrophe                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ apostrophe > moog-require > moog > lodash                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ apostrophe                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ apostrophe > uploadfs > lodash                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ apostrophe-headless                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ apostrophe-headless > lodash                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

I assume you’re on the lastest version. I don’t see the lodash warnings using npm audit. Apostrophe uses a patched version of lodash 3 due to lodash 3 end of life support.

I meant to add it as an issue in Github. I’ve gone ahead and added it: https://github.com/apostrophecms/apostrophe/issues/2079. Feel free to add any comments needed. You can read there that the vulnerabilities aren’t immediate problems in the project since it doesn’t use the vulnerable methods.

Hi Matt,

npm update is the correct command. Your dependencies in package.json should use the “^”, like “^2.99.0”, so that any updates to the minor or patchlevel version are automatically brought in by “npm update”.

As for those vulnerabilities, the mongodb vulnerability you’re talking about does not apply to apostrophe, but unfortunately “npm audit” has no tools for creating a “safelist” of irrelevant vulnerabilities. So we wrote our own, and if you check out the apostrophe repo from github and run “npm run audit” there, you will not get an error (unless there is a new, un-safelisted vulnerability, of course).

Specifically, the mongodb vulnerability only applies to software that lets end users type in their own MongoDB collection names. We never allow that. It would be a large bc break, and/or a big retro wrapper effort, to move to the mongo 3.x driver in apostrophe 2.x just to kill this warning. We are trying to get the attention of the npm team to implement a safelist feature for npm audit.