Closed mfarina1 closed 4 weeks ago
The following are each of the issues with solutions and time estimations, as per @njbrunner 's analysis: #21: crypto-js Issues: The default cryptographic hash algorithm is insecure Only uses a single iteration Solutions: Upgrade package version to 4.2.0 (latest) where the default hash algorithm and number of iterations has been updated Replace the package usage with the native Crypto module that is built into NodeJS Considerations: My recommendation would be to proceed with replacing this package with the native Crypto module as active development on this package has been suspended and is no longer maintained. Resolution: Remove crypto-js as a dependency Locate all usages of crypto-js in the application code and replace with usage of the native Crypto module Time Estimation: 1 to 2 days of work to find/replace all usage of crypto-js and complete testing
#20, #19: Babel Issue: @babel/traverse < 7.23.2 is vulnerable to arbitrary code execution when compiling Solution: We don’t directly utilize @babel/traverse but the likely culprit is @bable/polyfill. @babel/polyfill has been deprecated in favor of directly including core-js/stable. Therefore we should remove this package and implement core-js/stable. Considerations: @babel/polyfill is deprecated in favor of core-js/stable Resolution: Remove @babel/polyfill as a dependency from the anms-ui/server and anms-ui/public Locate all usages of @babel/polyfill in the application code and replace with usage of the core-js/stable module Time Estimation: 1 to 2 days of work to find/replace all usage of @bable/polyfill and complete testing
#8: flat Issue: Flat < 5.0.1 has a vulnerability that leads to improperly controlled modification of object prototype attributes Solution: Upgrade flat to the latest version 6.0.1 Considerations: Release notes should be reviewed to ensure compatibility Resolution: Upgrade flat to version 6.0.1 Update any necessary usages based on new version Time Estimation: 1 day to update the version and complete testing
#7: webpack loader-utils Issue: Prototype pollution vulnerability in loader-utils < 1.4.1 Solution: Loader-utils likely comes from our usage of webpack, we should upgrade webpack to a version that supports a higher version of loader-utils (5.95.0, latest) with a vulnerability patch Considerations: Release notes should be reviewed to ensure compatibility of a new webpack version Resolution: Upgrade webpack to latest version 5.95.0 Time Estimation: 2 days to upgrade webpack and complete testing
#4: ejs Issue: Template injection vulnerability in ejs < 3.1.7 Solution: Upgrade ejs to the latest version 3.1.10 Considerations: We should inspect the code to validate that the ejs package is actually being utilized Since our application is built with Vue, it shouldn’t be necessary to use ejs Resolution: Determine whether the use of ejs is necessary, if so upgrade ejs package to 3.1.10 Time Estimation: 2 days to inspect code and determine the need for ejs, upgrade to 3.1.10 if necessary, and complete testing