bigcommerce/checkout-js

Fix npm audit vulnerabilities

kzhang-dsg opened this issue · 2 comments

kzhang-dsg commented

Run npm audit --production on the latest version "version": "1.291.0"

Below are the results:

                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install formik@2.2.9  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ The `size` option isn't honored after following a redirect   │
│               │ in node-fetch                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ formik                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ formik > create-react-context > fbjs > isomorphic-fetch >    │
│               │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-w7rc-rwvf-8q5r            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ node-fetch is vulnerable to Exposure of Sensitive            │
│               │ Information to an Unauthorized Actor                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ formik                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ formik > create-react-context > fbjs > isomorphic-fetch >    │
│               │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-r683-j2x4-v87g            │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm install yup@1.0.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Prototype Pollution in property-expr                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ property-expr                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yup                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yup > property-expr                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-6fw4-hr69-g3rv            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Prototype Pollution in property-expr                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ property-expr                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @bigcommerce/checkout-sdk                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @bigcommerce/checkout-sdk > yup > property-expr              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-6fw4-hr69-g3rv            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (1 low, 1 high, 2 critical) in 336 scanned packages
  3 vulnerabilities require semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.

Could you please fix the vulnerabilities ?

animesh1987 commented

Hey @kzhang-dsg we are planning to look at these issues in upcoming months.

bc-0dp commented

Hi @kzhang-dsg I believe these advisories where addressed in a previous update. Do however feel free to create a new issue if your concern persist. Security is a high priority to us. 🙇

Closing as resolved