search

SAP / open-ux-odata

Enable community collaboration to jointly promote and facilitate best in class framework and tooling capabilities when working with OData services.
Apache License 2.0
51 stars 11 forks source link

BUG [SECURITY] - update vulnerable versions #648

Open hitesh-parmar opened 1 year ago

hitesh-parmar commented 1 year ago

Description

Several dependabot issues https://github.com/SAP/open-ux-odata/security/dependabot

Expected results

  1. pnpm audit
  2. no issues or reduce number of vulnerable versions

Actual results

Run pnpm audit

9 vulnerabilities found

Solved Issues

https://github.com/SAP/open-ux-odata/security/dependabot/1 https://github.com/SAP/open-ux-odata/security/dependabot/2 https://github.com/SAP/open-ux-odata/security/dependabot/10 https://github.com/SAP/open-ux-odata/security/dependabot/6

Vest commented 3 days ago

We still have the vulnerability issues with this project:

path-to-regexp  <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
No fix available
node_modules/router/node_modules/path-to-regexp
  router  1.0.0-beta.1 - 2.0.0-beta.2
  Depends on vulnerable versions of path-to-regexp
  node_modules/router
    @sap-ux/fe-mockserver-core  *
    Depends on vulnerable versions of router
    node_modules/@sap-ux/fe-mockserver-core
      @sap-ux/ui5-middleware-fe-mockserver  *
      Depends on vulnerable versions of @sap-ux/fe-mockserver-core
      node_modules/@sap-ux/ui5-middleware-fe-mockserver

4 high severity vulnerabilities