aviary-wf
commented
2 years ago Security Insights
(2) Vulnerable direct dependencies were detected
ansi-regex < 4.1.1 via yarn.lockglob-parent < 5.1.2 via yarn.lockAction Items
- Review dependencies for available updates
- See this Splunk dashboard for more CVE details
- Review PR for security impact; comment "security review required" if needed or unsure
-
Verify
aviary.yamlcoverage of security relevant codeQuestions or Comments? Reach out on Slack: #support-infosec.
kimlarson-wk
We recently discovered that if a package resolves to
dependency_validator >=3.0.0andbuild_config <1.0.0, running thedependency_validatortool will fail during precompilation due to null safety.We are merging a fix to
dependency_validator, but unfortunately it won't prevent consumers from resolving to the v3.x versions that still have the issue. This PR addresses the issue for consumers by narrowing the range to no longer includedependency_validator v3.Note: We originally widened this range as a part of the effort to upgrade our ecosystem to
analyzer v1, but it is not strictly necessary. Consumers ofdependency_validator v2can still successfully resolve toanalyzer v1.For more info, reach out to
#support-frontend-architectureon Slack._Created by Sourcegraph batch change
Workiva/narrow_dependency_validator_range._