Fix npm audit vulnerabilities
kzhang-dsg opened this issue · 2 comments
kzhang-dsg commented
Run npm audit --production
on the latest version "version": "1.291.0"
Below are the results:
=== npm audit security report ===
# Run npm install formik@2.2.9 to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ The `size` option isn't honored after following a redirect │
│ │ in node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ formik │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ formik > create-react-context > fbjs > isomorphic-fetch > │
│ │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-w7rc-rwvf-8q5r │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ node-fetch is vulnerable to Exposure of Sensitive │
│ │ Information to an Unauthorized Actor │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ formik │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ formik > create-react-context > fbjs > isomorphic-fetch > │
│ │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-r683-j2x4-v87g │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm install yup@1.0.0 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in property-expr │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ property-expr │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yup │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ yup > property-expr │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-6fw4-hr69-g3rv │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in property-expr │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ property-expr │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @bigcommerce/checkout-sdk │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @bigcommerce/checkout-sdk > yup > property-expr │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-6fw4-hr69-g3rv │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (1 low, 1 high, 2 critical) in 336 scanned packages
3 vulnerabilities require semver-major dependency updates.
1 vulnerability requires manual review. See the full report for details.
Could you please fix the vulnerabilities ?
animesh1987 commented
Hey @kzhang-dsg we are planning to look at these issues in upcoming months.
bc-0dp commented
Hi @kzhang-dsg I believe these advisories where addressed in a previous update. Do however feel free to create a new issue if your concern persist. Security is a high priority to us. 🙇
Closing as resolved