maxdiebold-erg
commented
3 weeks ago The easey-design-system has @storybook/router as a Dev dependency, which has react-router and react-router-dom as dependencies. As a dev dependency, however, it will not be bundled into easey-design-system builds, and so it will not be in easey-ecmps-ui or easey-campd-ui application code.
We may still want to update storybook in easey-design-system at a later time, but this involves two major versions so it will require more effort.
mark-hayward-erg
Recently, the Cloud.gov platform engineers scanned Cloud.gov to determine if any applications hosted in Cloud.gov were vulnerable to the polyfill.io attack (see https://fossa.com/blog/polyfill-supply-chain-attack-details-fixes/). The scan was performed by searching for the term "polyfill.io" in the application code deployed to platform. The ecmps-ui in the perf environment was flagged as having the vulnerability. After reviewing the finding and the code it appears that this term is used in a warning message produced by the react-router-dom library (see https://github.com/remix-run/react-router/issues/11733). Although the code is not vulnerable to this attack we should update the library to remove the reference to the polyfill.io website.
Need to update to at least version 6.24.1.