Skip to content
This repository was archived by the owner on May 9, 2023. It is now read-only.

Fix most instances of security vulnerabilities via upgrades. #477

Merged
Jkrzy merged 2 commits into from
Apr 10, 2020
Merged

Fix most instances of security vulnerabilities via upgrades. #477

Jkrzy merged 2 commits into from
Apr 10, 2020

Conversation

@adunkman
Copy link
Contributor

@adunkman adunkman commented Apr 9, 2020

Related to #464, this PR upgrades dependencies to their latest and performs npm’s automated npm audit fix to upgrade vulnerable subdependencies when permitted.

Upgraded dependency From To Release notes / Diff
fuse.js 5.0.5-beta 5.1.0 📗 / 🧮
netlify-cms 2.10.23 2.10.42 📗 / 🧮
jest 25.1.0 25.3.0 📗 / 🧮
The resulting npm audit report. 
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ http-server [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ http-server > optimist > minimist                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 251478 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Have submitted http-party/http-server#622 for an upstream fix to the remaining vulnerability, http-server is used while running npm test. Can also move to another library, if that pull request doesn’t receive attention — will leave #464 open as a reminder.

adunkman added 2 commits April 9, 2020 16:34
@adunkman
Update dependencies to their latest versions, except for uswds (causes
96a0f20 
    errors in sass compilation).
@adunkman
Automatically fix security issues.
d5d2c11 
`npm audit fix` fixes all but 2 remaining vulnerabilities.
@Jkrzy Jkrzy merged commit e6112fa into dev Apr 10, 2020
@Jkrzy Jkrzy deleted the fix-security-vulnerability branch April 10, 2020 04:24
This was referenced Apr 10, 2020
Merged
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@hbillings hbillings Awaiting requested review from hbillings

@lauraGgit lauraGgit Awaiting requested review from lauraGgit

1 more reviewer

@Jkrzy Jkrzy Jkrzy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adunkman @Jkrzy