forked from sebsauvage/Shaarli
-
Notifications
You must be signed in to change notification settings - Fork 297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update vulnerable npm dependencies (npm audit fix) #2052
Labels
dependencies
Pull requests that update a dependency file
enhancement
help-wanted
help-wanted
security
Milestone
Comments
nodiscc
added
enhancement
security
dependencies
Pull requests that update a dependency file
labels
Dec 3, 2023
nodiscc
added a commit
to nodiscc/Shaarli
that referenced
this issue
Dec 5, 2023
There are 2 issues remaining:
However these can only be fixed with
But I run into dependency issues when trying to perform
|
Mostly fixed in #2087 yarn.lock (yarn)
================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ micromatch │ CVE-2024-4067 │ MEDIUM │ fixed │ 4.0.6 │ 4.0.8 │ micromatch: vulnerable to Regular Expression Denial of │
│ │ │ │ │ │ │ Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-4067 │
├────────────┼────────────────┤ │ ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ webpack │ CVE-2024-43788 │ │ │ 5.91.0 │ 5.94.0 │ webpack: DOM Clobbering vulnerability in │
│ │ │ │ │ │ │ AutoPublicPathRuntimeModule │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-43788 │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘ reopening |
nodiscc
added a commit
to nodiscc/Shaarli
that referenced
this issue
Oct 19, 2024
- micromatch: fixes https://avd.aquasec.com/nvd/2024/cve-2024-4067/ - webpack: fixes https://avd.aquasec.com/nvd/cve-2024-43788 - rm yarn.lock && yarnpkg install - fixes shaarli#2052
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
dependencies
Pull requests that update a dependency file
enhancement
help-wanted
help-wanted
security
trivy
security scanner reports vulnerable dependencies in Shaarli'syarn.lock
https://github.com/shaarli/Shaarli/actions/runs/7077779999/job/19262500733
These vulnerable dependencies are also present in the last release (v0.13.0) which is reflected by the failed status of daily trivy scans (https://github.com/shaarli/Shaarli/actions/workflows/trivy-release.yml)
These are basically the same vulnerabilities as those reported by github dependabot on https://github.com/shaarli/Shaarli/security/dependabot.
npm audit fix
(and a few manual tests to ensure the upgrade doesn't break anything) should fix most of these warnings. In case a dependency can't be easily updated, we should check if the reported vulnerability is effectively applicable, and if not, whitelist it.In addition we could disable Github's security advisories as these are now redundant (and a FOSS solution like trivy is preferable in my opinion - it is also easy to run it locally using
make test_trivy_repo
)The text was updated successfully, but these errors were encountered: