search

amzn / style-dictionary

A build system for creating cross-platform styles.
https://styledictionary.com
Apache License 2.0
3.87k stars 543 forks source link

Security vulnerability tracker devDependencies #1061

Closed jorenbroekema closed 5 months ago

jorenbroekema commented 9 months ago

Security tracker devDependencies

This issue can be used for tracking security vulnerabilities in our devDependencies which cannot be auto-fixed, which should be acknowledged and actions taken to notify third parties. If they don't respond in due time, we can fork -> fix -> publish and rely on that fork instead until it's fixed in the future.

Current npm audit report dev deps (v4 branch)

image 🎉

History

Vulnerabilities in the past that have been resolved

got

This is due to docsify-cli relying on an old version of update-notifier, which through a chain of transitive deps relies on an old version of got -> https://github.com/advisories/GHSA-pfrx-2q88-qq97

Since docsify prefers an email to notify them of security issues, I've sent them an email, detailing what is causing it and how to fix it.

marked

This is due to docsify relying on an old version of marked. In their package.json on their develop branch, this has been updated to v4 already, yet the version of docsify on develop branch is 4.13.0 whereas on NPM registry there is 4.13.1. Unfortunately upon inspecting the published package, it still relies on v1 of marked. I can only conclude that something went wrong with publishing to NPM. I've included the details in the email to docsify team.

If it goes without a response we may need to publish a fork with the fix at some point, same for the got issue

semver

Vulnerable for <5.7.2 || >=7.0.0 <7.5.2

Vulnerable installations caused by:

So, just waiting for docsify, changesets and less to respond to my emails, comment on PR and PR, otherwise we can go with forks, but let's give it some time.

jorenbroekema commented 5 months ago

Closing until new vulnerabilities show up