search

Agoric / agoric-sdk

monorepo for the Agoric Javascript smart contract platform
Apache License 2.0
327 stars 206 forks source link

Cosmic Swingset: `yarn audit` for all agoric release repos and agoric dependency repos #6636

Open arirubinstein opened 1 year ago

arirubinstein commented 1 year ago

Before the release is ready to be cut, all known security issues raised by yarn audit must be resolved unless otherwise exempted. This does not include devDependencies issues unless there is a likely path to exploitation, determined by the Security team.

By default, this includes Critical, High, Medium issues. Select low issues may be raised by the Security team

This includes the following repos:

ivanlei commented 1 year ago

Current state of things across all of agoric-sdk (not just cosmic swingset)

➜  agoric-sdk git:(6636_yarn_audit) ✗ yarn audit --groups devDependencies --level moderate --summary
yarn audit v1.22.19
61 vulnerabilities found - Packages audited: 1100
Severity: 6 Low | 11 Moderate | 35 High | 9 Critical
✨  Done in 1.11s.
➜  agoric-sdk git:(6636_yarn_audit) ✗ yarn audit --groups dependencies --level moderate --summary
yarn audit v1.22.19
0 vulnerabilities found - Packages audited: 579
✨  Done in 4.08s.