Closed giancorderoortiz closed 2 years ago
@Xymmer , @zebercut, @hackergil per consultation with Michael @meeque
Upgrade to angular12 may fix some of these. The dependency tree is quite complex for some of the libraries that require update.
@Platonn master ticket for third party library updates.
@meeque fyi
Hi all, today I've had the chance to discuss this topic with @Platonn. That helped me to understand these vulnerabilities better on a technical level. I think that I have overreacted in previous discussions that we had elsewhere. I now understand that all remaining dependabot alerts that are referenced in this issue affect devDependencies
of the storefrontapp
project only. And that the storefrontapp
is not even published on npm.
Therefore I believe that it would be legitimate to accept the risk of the remaining HIGH and MEDIUM dependency vulnerabilities that are referenced in this issue. (The CRITICAL aka VERY HIGH ones have already been resolved.)
That said, I still believe that it would be best to address these vulnerabilities (and future ones) by upgrading to non-vulnerable library versions whenever possible. As far as I understand we haven't leveraged the following options yet:
yarn upgrade
or yarn upgrade-interactive
to move to the latest library versions that are compatible with the version ranges currently specified in the pacakge.json
. This would hopefully also upgrade some transitive dependencies to non-vulnerable versions.package.json
to lift transitive dependencies to non-vulnerable versions. This could help getting rid of vulnerable library versions even though they are required transitively.There is a slight chance that this might break stuff, but imho it's worth a shot. If something breaks, build or tests will likely reveal that, and allow us to roll back specific changes.
Imho it would be great prevent similar problems in the future by running yarn upgrade
as often as possible. E.g. by having a build job that would warn us when dependencies are outdated. (I think that might be possible with yarn upgrade --frozen-lockfile
.)
As I've learned now, this might be less important for the storefrontapp
module, but it might be a good idea for other modules, like @spartacus/core
and many others. Most of those use peerDependencies
with rather lax version requirements. That gives a lot of flexibility to Spartacus users, but it also burdens them with a lot of responsibility. They will frequently have to deal with vulnerable libs and lead the same discussions as here. But in their case, vulnerable libs will likely have direct impact on the security of their production systems.
I wonder, if it would be feasible to monitor the peerDependencies
of all Spartacus modules, and bump up the version ranges whenever vulnerable library versions would be resolved (even transitively). We might want to restrict such upgrades to patch version or minor version changes, but we should probably avoid major version changes.
Could that help to keep Spartacus users safer? Or would it cause more problems than it would solve? Frankly, I have no idea. Any thougths?
@Xymmer, @hackergil can the recommendations given by Michael be incorporated in our CI?
Remaining open issues to be handled after 4.0 release.
Bill labeled open tickets as https://github.com/SAP/spartacus/labels/3rd-party-lib-updates for validation to do them as we move to jira
Please update the following third party libraries as specified in each corresponding security ticket. (Only lists dependencies that require manual update. All others handed by dependabot chores) Applicable to 4.0 release.
Pending:
Completed: