outdated benchmark dependencies causes CVE's

Question

outdated benchmark dependencies causes CVE's

khassel opened this issue 4 years ago · 1 comments

Hi,

the stuff in the benchmark folder is obviously installed with clarinet and the dependencies defined in benchmark/package.json are very old. So running a CVE scanner results in:

Vulnerability ID           Package                        Severity        Fix            CVE Refs              Vulnerability URL                                        Type          Feed Group        Package Path                                       
GHSA-jf85-cpcp-j695        lodash-4.17.11                 High            4.17.12        CVE-2019-10744        https://github.com/advisories/GHSA-jf85-cpcp-j695        npm           github:npm        /opt/magic_mirror/node_modules/clarinet/benchmark/node_modules/lodash/package.json
GHSA-p6mc-m468-83gw        lodash-4.17.11                 Low             4.17.19        CVE-2020-8203         https://github.com/advisories/GHSA-p6mc-m468-83gw        npm           github:npm        /opt/magic_mirror/node_modules/clarinet/benchmark/node_modules/lodash/package.json

Is there a chance to update these dependencies or not getting installed this stuff using npm install --only=production?

Thanks,

Karsten.

Answer 1 · 2022-01-07T12:16:07.000Z

@evan-king raised a PR to fix this issue, could you have a look.