Remediate Vulnerability: High Lodash and Moment.js Versions

USGS-WiM / WIM-Main-Site

Main Website at wim.usgs.gov

1 stars 5 forks source link

Remediate Vulnerability: High Lodash and Moment.js Versions #146

Closed ChadFanguy-usgs closed 1 year ago

ChadFanguy-usgs commented 2 years ago

https://wim.usgs.gov/styleguide/#/frame Lodash versions from 0.1.0 to 4.17.20 are reported as vulnerable.

It reports we are on 4.17.20 so it just needs a small update to 4.17.21.

Scan from 6/15 also shows the chunk.vendors.js file still has Moment.js, is this a cached older version? https://wim.usgs.gov/styleguide/js/chunk-vendors.7d4a313b.js

ChadFanguy-usgs commented 2 years ago

This may be a caching issue, @mitchas I remember you mentioned removing Moment.js.

ChadFanguy-usgs commented 2 years ago

This vulnerability came up on the scan again this month.

mitchas commented 2 years ago

@ChadFanguy-usgs Weird. I'll just completely clear out that directory on S3, make sure it's rebuilt without moment, then try again 🤷‍♂️

ChadFanguy-usgs commented 2 years ago

S3 might be holding onto it so that's probably the best course of action, Thanks!

mitchas commented 2 years ago

Closing - wiped that s3 directory and redeployed after making sure moment was gone and lodash was at 4.17.21

ChadFanguy-usgs commented 2 years ago

This issue came up again in the scan with lodash at https://wim.usgs.gov/styleguide/#/ version 4.17.20 on 9/13 And moment.js in https://wim.usgs.gov/styleguide/js/chunk-vendors.7d4a313b.js version 2.29.1.

Do we have anything in S3 keeping those files that are causing the scan to flag it?

mitchas commented 2 years ago

@ChadFanguy-usgs Closing this again, I think I finally found the answer. If it shows up again next time reopen it and I'll completely remove lodash/moment (not a huge deal)

It seems like there was a leftover generated vendors js file that wasn't actually used in the project anywhere but was being picked up by the build process and brought back into the bundle.

I removed that, and searched all of the build files for any references to lodash 4.17.20 or moment, and it looks clear now.

ChadFanguy-usgs commented 2 years ago

@mitchas showed up again, I think it is like you said being leftover in the vendors js file.

Lodash shows vulnerability at https://wim.usgs.gov/styleguide Momemt at https://wim.usgs.gov/styleguide/app.js

mitchas commented 1 year ago

@ChadFanguy-usgs Is this gone? I cleared out everything on the main site and styleguide directories on s3 a few months ago and haven't heard anything since - so just wanted to check.