chore: remove indirect node dependencies

Author: marco-ippolito

tools/eol_cve/eol-cve.csv

@@ -1,19 +1,4 @@
 cve,vulnerable,patched,affectedEOL
-CVE-2017-1000381,"8.x || 7.x || 4.x || 6.x || 5.x","^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1","5.x || 7.x"
-CVE-2017-3731,"4.x || 5.x || 6.x || 7.x","^4.7.3 || ^6.9.5 || ^7.5.0",5.x
-CVE-2017-3732,"4.x || 5.x || 6.x || 7.x","^4.7.3 || ^6.9.5 || ^7.5.0",5.x
-CVE-2016-7055,"4.x || 5.x || 6.x || 7.x","^4.7.3 || ^6.9.5 || ^7.5.0",5.x
-CVE-2016-9551,^7.1.0,^7.2.0,5.x
-CVE-2016-9840,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x
-CVE-2016-9841,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x
-CVE-2016-9842,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x
-CVE-2016-9843,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x
-CVE-2016-5172,6.x,^6.9.0,5.x
-CVE-2016-6304,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x
-CVE-2016-2183,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x
-CVE-2016-6303,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x
-CVE-2016-2178,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x
-CVE-2016-6306,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x
 CVE-2016-5325,"6.x || 4.x || 5.x","^6.7.0 || ^4.6.0",5.x
 CVE-2016-7099,"6.x || 4.x || 5.x","^6.7.0 || ^4.6.0",5.x
 CVE-2017-14849,8.5.0,^8.6.0,"5.x || 7.x"
@@ -35,14 +20,6 @@ CVE-2018-12122,"6.x || 8.x || 10.x || 11.x","^6.15.0 || ^8.14.0 || ^10.14.0 || ^
 CVE-2018-12123,"6.x || 8.x || 10.x || 11.x","^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0","4.x || 5.x || 7.x || 9.x"
 CVE-2019-5737,"6.x || 8.x || 10.x || 11.x","^6.17.0 || ^8.15.1 || ^10.15.2 || ^11.10.1","4.x || 5.x || 7.x || 9.x"
 CVE-2019-5739,6.x,^6.17.0,"4.x || 5.x"
-CVE-2019-9511,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x"
-CVE-2019-9512,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x"
-CVE-2019-9513,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x"
-CVE-2019-9514,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x"
-CVE-2019-9515,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x"
-CVE-2019-9516,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x"
-CVE-2019-9517,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x"
-CVE-2019-9518,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x"
 CVE-2019-15604,"10.x || 12.x || 13.x","^10.19.0 || ^12.15.0 || ^13.8.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x"
 CVE-2019-15605,"10.x || 12.x || 13.x","^10.19.0 || ^12.15.0 || ^13.8.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x"
 CVE-2019-15606,"10.x || 12.x || 13.x","^10.19.0 || ^12.15.0 || ^13.8.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x"
@@ -52,33 +29,20 @@ CVE-2020-8252,"10.x || 12.x || 14.x","^10.22.1 || ^12.18.4 || ^14.9.0","4.x || 5
 CVE-2020-8277," 12.x || 14.x || 15.x"," ^12.19.1 || ^14.15.1 || 15.2.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
 CVE-2020-8265,"10.x || 12.x || 14.x || 15.x","^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
 CVE-2020-8287,"10.x || 12.x || 14.x || 15.x","^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
-CVE-2020-1971,"10.x || 12.x || 14.x || 15.x","^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
 CVE-2021-22883," 10.x || 12.x || 14.x || 15.x"," ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
 CVE-2021-22884," 10.x || 12.x || 14.x || 15.x"," ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
-CVE-2021-23840," 10.x || 12.x || 14.x || 15.x"," ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
-CVE-2021-3450," 10.x || 12.x || 14.x || 15.x"," ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
-CVE-2021-3449," 10.x || 12.x || 14.x || 15.x"," ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
-CVE-2020-7774," 10.x || 12.x || 14.x"," ^10.24.1 || ^12.22.1 || ^14.16.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x"
 CVE-2021-22930," 12.x || 14.x || 16.x"," ^12.22.4 || ^14.17.4 || ^16.6.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2021-22921," 12.x || 14.x || 16.x"," ^12.22.2 || ^14.17.2 || ^16.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
-CVE-2021-27290, 12.x, ^12.22.2,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x"
-CVE-2021-23362, 12.x, ^12.22.2,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x"
 CVE-2021-22918," 12.x || 14.x || 16.x"," ^12.22.2 || ^14.17.2 || ^16.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2021-22931,"12.x || 14.x || 16.x","^12.22.5 || ^14.17.5 || ^16.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2021-22940,"12.x || 14.x || 16.x","^12.22.5 || ^14.17.5 || ^16.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2021-22939,"12.x || 14.x || 16.x","^12.22.5 || ^14.17.5 || ^16.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
-CVE-2021-37701," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x"
-CVE-2021-37712," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x"
-CVE-2021-37713," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x"
-CVE-2021-39134," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x"
-CVE-2021-39135," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x"
 CVE-2021-22959,"12.x || 14.x || 16.x"," ^12.22.7 || ^14.18.1 || ^16.11.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2021-22960,"12.x || 14.x || 16.x"," ^12.22.7 || ^14.18.1 || ^16.11.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2021-44531,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2021-44532,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2021-44533,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2022-21824,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
-CVE-2022-0778,"12.x || 14.x || 16.x || 17.x","^12.22.11 || ^14.19.1 || ^16.14.2 || ^17.7.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x"
 CVE-2022-32215,"14.x || 16.x || 18.x","^14.20.1 || ^16.17.1 || ^18.9.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x"
 CVE-2022-32214,"14.x || 16.x || 18.x","^14.20.0 || ^16.20.0 || ^18.5.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x"
 CVE-2022-32212,"14.x || 16.x || 18.x","^14.20.1 || ^16.17.1 || ^18.9.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x"
@@ -90,8 +54,6 @@ CVE-2022-35255,18.x,^18.9.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 1
 CVE-2022-43548,"14.x || 16.x || 18.x || 19.x","^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x"
 CVE-2023-23918,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x"
 CVE-2023-23919,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.2.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x"
-CVE-2023-23936,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x"
-CVE-2023-24807,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x"
 CVE-2023-23920,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x"
 CVE-2023-30581,"16.x || 18.x || 20.x","^16.20.1 || ^18.16.1 || ^20.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x"
 CVE-2023-30582,20.x,^20.3.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x"
@@ -110,8 +72,6 @@ CVE-2023-32006,"16.x || 18.x || 20.x","^16.20.2 || ^18.17.1 || ^20.5.1","4.x ||
 CVE-2023-32559,"16.x || 18.x || 20.x","^16.20.2 || ^18.17.1 || ^20.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x"
 CVE-2023-32005,20.x,^20.5.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x"
 CVE-2023-32003,20.x,^20.5.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x"
-CVE-2023-45143,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x"
-CVE-2023-44487,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x"
 CVE-2023-39331,20.x,^20.8.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x"
 CVE-2023-39332,20.x,^20.8.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x"
 CVE-2023-38552,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x"

tools/eol_cve/index.js

@@ -4,6 +4,7 @@ const { format } = require('fast-csv');
 const { resolve } = require('path');
 const semver = require('semver');
 const nv = require('@pkgjs/nv');
+const { setTimeout } = require('node:timers/promises');
 
 const csvStream = format({ headers: true });
 const filePath = resolve(__dirname, 'eol-cve.csv');
@@ -14,6 +15,73 @@ const MINIMUM_VERSION = 4;
 
 const RELEASE_SCHEDULE_JSON = 'https://raw.githubusercontent.com/nodejs/Release/main/schedule.json';
 
+const NVD_API_URL = "https://services.nvd.nist.gov/rest/json/cves/2.0";
+
+const VALID_REFERENCES = [
+    {
+        url: 'nodejs.org/en/blog/vulnerability',
+        source: '[email protected]'
+    },
+    {
+        url: 'nodejs.org/en/blog/vulnerability',
+        source: '[email protected]'
+    },
+    {
+        url: 'nodejs.org/en/blog/vulnerability',
+        source: '[email protected]'
+    },
+    {
+        url: 'hackerone.com/reports/',
+        source: '[email protected]'
+    }, {
+        url: 'www.openwall.com/lists/oss-security/',
+        source: '[email protected]'
+    }
+]
+
+async function isNodeCVE(cveId) {
+    const queryParams = new URLSearchParams({
+        cveId: cveId,
+    });
+
+    const response = await fetch(`${NVD_API_URL}?${queryParams.toString()}`, {
+        headers: {
+            'apiKey': process.env.NVD_TOKEN,
+        }
+    });
+    if (!response.ok) {
+        console.error(
+            `Error fetching data: ${response.status} ${response.statusText}`,
+        );
+        process.exit(1);
+    }
+    const data = await response.json();
+
+    const { vulnerabilities } = data;
+    if (!vulnerabilities?.length) {
+        return false;
+    }
+
+    const { cve } = vulnerabilities.at(0);
+    const { references } = cve;
+
+    if (references?.length) {
+        // Try to identify if the CVE is related to Node.js
+        // by checking the references
+        for (const reference of references) {
+            const { url, source } = reference;
+            for (const validReference of VALID_REFERENCES) {
+                const { url: validUrl, source: validSource } = validReference;
+                if (url.includes(validUrl) && source === validSource) {
+                    return true;
+                }
+            }
+        }
+    }
+
+    return false;
+}
+
 async function fetchReleasesSchedule() {
     try {
         const response = await fetch(RELEASE_SCHEDULE_JSON);
@@ -69,6 +137,15 @@ async function run() {
 
         // Each vulnerability can have multiple CVEs
         for (const cve of vuln.cve) {
+            if (!await isNodeCVE(cve)) {
+                continue;
+            }
+            // Otherwise NVD will block us
+            // Rate limit is 50 requests per 30 second with token
+            // and 5 requests per 30 seconds without token
+            const timeout = process.env.NVD_TOKEN ? 750 : 5000;
+            await setTimeout(timeout);
+
             const last = getLastAffectedVersion(vuln.vulnerable);
             // Skip 0.x and 4.x versions
             if (last <= MINIMUM_VERSION) continue;
@@ -96,7 +173,7 @@ async function run() {
                 return releaseDate > eol;
             });
 
-            if(releaseMajors.length === 0) continue;
+            if (releaseMajors.length === 0) continue;
 
             // Write into the format v4.x || v5.x || v6.x
             const missing = releaseMajors.map((n) => `${n}.x`).join(' || ');