Closed kurt-mueller-osumc closed 6 months ago
The yarn audit
command also provides insight:
$ yarn audit
yarn audit v1.22.22
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ ReDoS in Sec-Websocket-Protocol header │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ remotedev │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ remotedev > socketcluster-client > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1090475 │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 280
Severity: 1 Moderate
Done in 0.59s
@theimowski I see you added remoteDev to the template. Is this something you actually use? It does not seem to be maintained, So I think we should just drop the dependency
Thanks for the heads up @kurt-mueller-osumc!
No problem! Thank you for maintaining an excellent product :).
I see you added remoteDev to the template. Is this something you actually use? It does not seem to be maintained, So I think we should just drop the dependency
Well, the tool still work as of today just with a warning. It is still quite useful for exploring your application state / diff, from time to time.
And this is a dev tool, so the security issue is not exposed to the production application and only happens on your machine while in dev mode.
@MangelMaxime good point - Rather than roll this change back, I've created an issue in the docs repo. We can write some info on how to add remotedev in cases where it would be helpful to have more in-depth debugging capabilities, and that way people who are not using it won't be troubled with an unecessary warning.
In the root of your safe stack application, run
npm audit fix
:socketcluster-client
is a dependency ofremotedev
, which is listed inpackage.json
Unfortunately,
remotedev
hasn't been updated in a few years.