vuestorefront/vue-storefront

Remediate High / Critical issues from npm security audit [Feature]:

jaydubb12 opened this issue · 1 comments

jaydubb12 commented

How the project can be improved?

Issue

Remediate High / Critical issues from npm security audit which can be run using the following command

Command to run dependency check

yarn npm audit --all -R --severity  critical
yarn npm audit --all -R --severity  high

Output

axios: 0.21.1
│ ├─ Issue: Incorrect Comparison in axios
│ ├─ URL: GHSA-cph5-m8f7-6c5x
│ ├─ Severity: high
│ ├─ Vulnerable Versions: <=0.21.1
│ ├─ Patched Versions: >=0.21.2
│ ├─ Via: axios, @vue-storefront/core, @vue-storefront/boilerplate-api, @vue-storefront/boilerplate
│ └─ Recommendation: Upgrade to version 0.21.2 or later

├─ glob-parent: 2.0.0
│ ├─ Issue: Regular expression denial of service
│ ├─ URL: GHSA-ww39-953v-wcq6
│ ├─ Severity: high
│ ├─ Vulnerable Versions: <5.1.2
│ ├─ Patched Versions: >=5.1.2
│ ├─ Via: chokidar, @vue-storefront/nuxt, @storefront-ui/vue, ts-loader, @nuxt/types, @vue-storefront/core, @vue-storefront/boilerplate-api, @vue-storefront/boilerplate, nuxt-purgecss, nuxt, ts-jest
│ └─ Recommendation: Upgrade to version 5.1.2 or later

└─ trim-newlines: 1.0.0
├─ Issue: Regular Expression Denial of Service in trim-newlines
├─ URL: GHSA-7p7h-4mm5-852v
├─ Severity: high
├─ Vulnerable Versions: <3.0.1
├─ Patched Versions: >=3.0.1
├─ Via: @commitlint/cli, lerna
└─ Recommendation: Upgrade to version 3.0.1 or later

What are the acceptance criteria?

  • Remediate the security vulnerabilities by updating the referenced dependencies directly, or via a resolutions config in the package.json

  • Regression test the code base to ensure that there are no regressions

Additional information

It is best practice to maintain the code base in a fashion that does not reflect any high / critical within a period of 24 hours - 1 week depending on the severity.

What version of Vue Storefront this feature can be implemented?

2.5.0+

Code of Conduct

  • I agree to follow this project's Code of Conduct
skirianov commented

Issue is closed. Reason: Too Old (>6 months)

Sergii Kirianov

Developer Advocate

Vue Storefront