search

ForestAdmin / lumber

Install Forest Admin in minutes.
https://www.forestadmin.com
MIT License
2.08k stars 106 forks source link

Fix audit vulnerabilities for lodash and handlebars #579

Closed mario-grx closed 3 years ago

mario-grx commented 3 years ago

Expected behavior

There are a couple of vulnerabilities that have been with lumber-cli for a while. I was wondering if it would be possible to fix them to get CI pipelines to pass automatically.

Actual behavior

Currently, lumber-cli is fixed to version 4.17.19 that has a high vulnerability. Also, it is linked to version 4.7.6 of handlebars that has a critical vulnerability.

The problem is that it makes fail our CI when checking for vulnerabilities and because they're fixed versions, we can't update them.

Remediation

There are two methods. One would be to merge the dependabot PRs to fix those issues.

However, there's another solution that unless there's a strong reason to dismiss might be a better solution. It would be to change the fixed versions to minimum versions. That way, everybody depending on lumber-cli would be able to upgrade any of these dependencies. I'm not sure what's the reason that lodash, handlebars or sequelize are pinned to specific versions, as they would not be upgraded to major versions but only to minor or patch ones.

Please consider doing so.

I offer to send the PR with those changes if you would approve it.

das-peter commented 3 years ago

Don't mind me - just linking related issues together. Mentioned dependabot issues: https://github.com/ForestAdmin/lumber/pull/568 https://github.com/ForestAdmin/lumber/pull/575

slimee commented 3 years ago

Hi,

The lumber-cli is now deprecated. Please use instead forest-cli.