Remediate High / Critical issues from npm security audit [Feature]:
jaydubb12 opened this issue · 1 comments
How the project can be improved?
Issue
Remediate High / Critical issues from npm security audit which can be run using the following command
Command to run dependency check
yarn npm audit --all -R --severity critical
yarn npm audit --all -R --severity high
Output
axios: 0.21.1
│ ├─ Issue: Incorrect Comparison in axios
│ ├─ URL: GHSA-cph5-m8f7-6c5x
│ ├─ Severity: high
│ ├─ Vulnerable Versions: <=0.21.1
│ ├─ Patched Versions: >=0.21.2
│ ├─ Via: axios, @vue-storefront/core, @vue-storefront/boilerplate-api, @vue-storefront/boilerplate
│ └─ Recommendation: Upgrade to version 0.21.2 or later
│
├─ glob-parent: 2.0.0
│ ├─ Issue: Regular expression denial of service
│ ├─ URL: GHSA-ww39-953v-wcq6
│ ├─ Severity: high
│ ├─ Vulnerable Versions: <5.1.2
│ ├─ Patched Versions: >=5.1.2
│ ├─ Via: chokidar, @vue-storefront/nuxt, @storefront-ui/vue, ts-loader, @nuxt/types, @vue-storefront/core, @vue-storefront/boilerplate-api, @vue-storefront/boilerplate, nuxt-purgecss, nuxt, ts-jest
│ └─ Recommendation: Upgrade to version 5.1.2 or later
│
└─ trim-newlines: 1.0.0
├─ Issue: Regular Expression Denial of Service in trim-newlines
├─ URL: GHSA-7p7h-4mm5-852v
├─ Severity: high
├─ Vulnerable Versions: <3.0.1
├─ Patched Versions: >=3.0.1
├─ Via: @commitlint/cli, lerna
└─ Recommendation: Upgrade to version 3.0.1 or later
What are the acceptance criteria?
-
Remediate the security vulnerabilities by updating the referenced dependencies directly, or via a resolutions config in the package.json
-
Regression test the code base to ensure that there are no regressions
Additional information
It is best practice to maintain the code base in a fashion that does not reflect any high / critical within a period of 24 hours - 1 week depending on the severity.
What version of Vue Storefront this feature can be implemented?
2.5.0+
Code of Conduct
- I agree to follow this project's Code of Conduct
Issue is closed. Reason: Too Old (>6 months)
Sergii Kirianov
Developer Advocate
Vue Storefront