delucis
commented
1 year ago Hi @Marocco2! I'll double check but I'm fairly sure these are caused by Netlify CMS itself and there's nothing this package can do about it.
Closed Marocco2 closed 1 year ago
delucis
commented
1 year ago Hi @Marocco2! I'll double check but I'm fairly sure these are caused by Netlify CMS itself and there's nothing this package can do about it.
Marocco2
commented
1 year ago I did some research and I came across this fork: https://github.com/StaticJsCMS/static-cms It may be convenient to migrate to it if they will be actively update their repo
delucis
commented
1 year ago Hi again! I took a look and the only vulnerability reported for me with npm audit is in the trim package, documented here: https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
This is pulled in by Netlify CMS as I expected, so not fixable in this repo. I’m not a security expert and I understand the concern these audit logs can cause, but as far as I understand it, the vulnerability is a risk of “ReDoS”, where a maliciously crafted string ties up resources because a regular expression will take a very long time to process it. This is a significant issue when operating a server for example if trim() were being used with unsanitized user input because an attacker could send strings that will cause a server slow down. In the case of Netlify CMS which is an in-browser web app, the risk seems pretty minimal to nonexistent though.
I’ll close this issue as it’s an upstream problem. Thanks for the report though and thanks for the link to that fork! I’ll be sure to keep an eye on it to see if it makes sense to migrate to that new version at some point.
Adding this package to my Astro installation will trigger
npm auditwithout being able to fix it because some dependency packaging has an hard coded semantic version. Could you check it please?