Fail CI if we have packages with vulnerabilities

[baradm100]

We should fail CI if we have packages with vulnerabilities.

Severity Level

For now we'll fail for all the severity levels

[baradm100]

Found Vulnerabilities!

Summery

Severity	# of finds
Info	0
Low	0
Moderate	0
High	6
Critical	0
Total	6

Can Be Updated

gatsby-cli (2.12.87)

Paths

• gatsby>gatsby-cli>update-notifier>configstore>dot-prop [dev]

Advisories

Prototype Pollution (High)

Vulnerable Versions: <5.1.1

Patched Versions: >=5.1.1

More Info: https://npmjs.com/advisories/1213

Overview

Versions of `dot-prop` before 5.1.1 are vulnerable to prototype pollution. The function `set` does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.

elliptic (6.5.3)

Paths

• gatsby>webpack>node-libs-browser>crypto-browserify>browserify-sign>elliptic [dev]
• gatsby>webpack>node-libs-browser>crypto-browserify>create-ecdh>elliptic [dev]

Advisories

Signature Malleability (High)

Vulnerable Versions: <6.5.3

Patched Versions: >=6.5.3

More Info: https://npmjs.com/advisories/1547

Overview

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

terser-webpack-plugin (1.4.5)

Paths

• gatsby>terser-webpack-plugin>serialize-javascript [dev]
• gatsby>webpack>terser-webpack-plugin>serialize-javascript [dev]

Advisories

Remote Code Execution (High)

Vulnerable Versions: <3.1.0

Patched Versions: >=3.1.0

More Info: https://npmjs.com/advisories/1548

Overview

`serialize-javascript` prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". An object such as `{"foo": /1"/, "bar": "a\"@__R--0__@"}` was serialized as `{"foo": /1"/, "bar": "a\/1"/}`, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of . The UID has a keyspace of approximately 4 billion making it a realistic network attack. The following proof-of-concept calls console.log() when the running eval(): `eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R--0__@'}) + ')');`

Manual Review

dot-prop

Paths

• gatsby>devcert>configstore>dot-prop [dev]

Advisories

Prototype Pollution (High)

Vulnerable Versions: <5.1.1

Patched Versions: >=5.1.1

More Info: https://npmjs.com/advisories/1213

Overview

Versions of `dot-prop` before 5.1.1 are vulnerable to prototype pollution. The function `set` does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.